Security Alert Summary
The ePaperFlip Publisher plugin for WordPress is vulnerable to a stored Cross-Site Scripting (XSS) issue via the publicationid attribute of the epaperflip_embed shortcode. Insufficient input sanitization and output escaping allow authenticated users with Contributor-level access and above to inject JavaScript that will execute when an injected page is viewed.
CVE Details
- CVE ID: CVE-2026-7662
- Affected component: ePaperFlip Publisher plugin for WordPress
- Affected versions: all versions up to, and including, 1
- Published: June 9, 2026, 5:16:39 AM UTC
- Last modified: June 9, 2026, 1:33:34 PM UTC
- CVSS v3.1: Base score 6.4, MEDIUM — Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Authentication / privileges / user interaction: Requires authenticated user; privileges required: LOW (Contributor-level access and above); user interaction: NONE
- Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
- Weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-site Scripting)
Technical Details
This vulnerability is a stored Cross-Site Scripting issue rooted in insufficient input sanitization and output escaping for the publicationid attribute of the epaperflip_embed shortcode. The attribute value is injected directly into inline JavaScript, allowing an attacker to include arbitrary script code that is stored in a page or post and executed when other users view the page.
Because the problem is in how the shortcode attribute is handled and escaped before being rendered into inline JavaScript, authenticated users with Contributor-level access or higher can create or edit content that contains the malicious publicationid payload. The vulnerability does not require user interaction once the malicious content is published; any visitor or authenticated user who loads the page will execute the injected script.
How This Could Impact Your Website
Consider a site with multiple roles: the site owner manages plugins and administrators, internal staff publish content, and external contractors or contributors supply articles. A contributor with the ability to add or edit posts could supply a malicious epaperflip_embed shortcode with a crafted publicationid that stores JavaScript in a page. When an editor, administrator, or regular visitor views that page, the script runs in their browser.
Practical consequences of this stored XSS include exposure of information visible to the user, such as internal user display names or email addresses shown on pages, and increased risk of targeted phishing or social engineering that leverages data collected via the injected script. The vulnerability is focused on information disclosure and content integrity rather than direct server takeover.
If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially Contributor and higher roles for untrusted users.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and content changes for unusual behavior or unexpected shortcode usage.
If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
