VI: Include Post By Plugin Vulnerability (CVE-2026-5717)

Security Alert Summary

The VI: Include Post By plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the class_container attribute of the include-post-by-cat shortcode. Authenticated users with contributor-level access or higher can inject scripts via the shortcode attribute due to insufficient input sanitization and output escaping. Injected scripts execute when a page containing the manipulated shortcode is viewed.

CVE Details

• CVE ID: CVE-2026-5717
• Affected component: VI: Include Post By plugin (include-post-by-cat shortcode, class_container attribute)
• Affected versions: All versions up to and including 0.4.200706
• Published: April 15, 2026 at 9:16:33 AM (UTC)
• Last modified: April 15, 2026 at 9:16:33 AM (UTC)
• CVSS v3.1 base score: 6.4 (MEDIUM)
• CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
• Authentication / Privileges / User interaction:
  • Requires authentication: yes (authenticated attackers with contributor-level access and above)
  • Privileges required: LOW (contributor or higher)
  • User interaction: NONE
• Primary impact:
  • Confidentiality: LOW
  • Integrity: LOW
  • Availability: NONE
• CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e. Cross-site Scripting)

Technical Details

The vulnerability is a stored cross-site scripting (XSS) flaw that exists because user-supplied attributes for the include-post-by-cat shortcode are not properly sanitized or escaped before being included in page output. Specifically, the class_container attribute can contain attacker-controlled input that is rendered into pages without sufficient output escaping, allowing an authenticated attacker to inject arbitrary JavaScript.

When a contributor or other authenticated user with the required privileges sets a crafted value for class_container, that value is stored and later output as part of a page containing the shortcode. Because output escaping is missing or inadequate, the injected script executes in the browser of any user who views the page, enabling actions consistent with stored XSS (for example, cookie access or DOM manipulation) limited by the browser same-origin policy.

How This Could Impact Your Website

Consider a multi-author WordPress site where a site owner manages editors and contributors and an external contractor provides content. If a contributor inserts a malicious payload into the class_container attribute while editing a post or shortcode-enabled block, that payload can be stored and executed when editors, administrators, or site visitors view the affected page. Practical consequences include exposure of internal user email addresses or other data visible in the page context and an increased risk of targeted phishing or social engineering against staff whose browsers execute the injected script.

This vulnerability does not, by itself, imply full site takeover, but it does increase risk to user data and trust. If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles; limit contributor access where possible.
• Enforce strong passwords and enable two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins from your site.
• Monitor site activity and logs for unusual behavior or unexpected content changes.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://plugins.trac.wordpress.org/browser/vi-include-post-by/tags/0.4.200706/vi_include_post_by.php#L809
• https://plugins.trac.wordpress.org/browser/vi-include-post-by/trunk/vi_include_post_by.php#L809
• https://www.wordfence.com/threat-intel/vulnerabilities/id/b3e95dc2-0f50-4009-9cc0-a02f9977ce58?source=cve