Security Alert Summary
The Docus – YouTube Video Playlist plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the docusplaylist shortcode. Insufficient input sanitization and output escaping of user-supplied shortcode attributes allow authenticated users with Contributor-level access or higher to inject scripts that execute when a page with the injected content is viewed.
CVE Details
- CVE ID: CVE-2026-1888
- Affected plugin / component: Docus – YouTube Video Playlist plugin for WordPress
- Affected versions: All versions up to, and including, 1.0.6
- Published: February 6, 2026 at 7:16:12 AM UTC
- Last modified: February 6, 2026 at 3:14:47 PM UTC
- CVSS v3.1: Base Score 6.4 (MEDIUM) —
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Authentication / privileges / user interaction: Privileges Required: Low (authenticated user, Contributor-level or above); User Interaction: None
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- CWE / weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-site Scripting)
Technical Details
The vulnerability is a stored cross-site scripting (XSS) issue caused by insufficient input sanitization and output escaping for attributes passed to the docusplaylist shortcode. According to the description, user-supplied shortcode attributes are not properly handled, which allows an authenticated user with Contributor-level access or higher to inject arbitrary web scripts into pages where the shortcode is used. Those scripts will execute in the context of any user who views the injected page.
The CVE references the plugin’s shortcode handling (see the provided code references to class.shortcode.php), indicating the problem occurs where shortcode attributes are processed and rendered without appropriate sanitization/escaping. The impact is limited to what XSS normally enables: execution of script in page visitors’ browsers, which can lead to session theft, unauthorized actions in the context of the visitor, or exposure of information accessible to the browser session.
How This Could Impact Your Website
In a typical small-to-medium business WordPress site, the site owner may publish content while internal staff or external contributors add playlists using the plugin. An external contractor or contributor with Contributor-level access could insert a malicious payload into a playlist shortcode. When another staff member or a site visitor views that page, the injected script could run in their browser, potentially exposing their session data or performing actions available to that user in the browser context.
Practical consequences include exposure of internal user information (such as email addresses visible in the page or accessible via JavaScript), increased risk of targeted phishing or social engineering against staff with elevated access, and unauthorized actions performed by a victim’s browser against the site or third-party services accessed in that session. The vulnerability does not, based on the CVE details, indicate direct server-side code execution or guaranteed full site compromise.
If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available (the CVE entry does not specify a fixed version).
- Review and reduce unnecessary user roles and capabilities, especially for Contributors and other lower-privileged accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior, including unexpected content changes or new shortcode usage in posts and pages.
If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/docus/tags/1.0.6/includes/class.shortcode.php#L55
- https://plugins.trac.wordpress.org/browser/docus/trunk/includes/class.shortcode.php#L55
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3454510%40docus&new=3454510%40docus&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/16c6fec8-81ec-477a-9942-10fd3adb8fa4?source=cve