Security Alert Summary
The OMIGO plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in its omigo_donate_button shortcode. Insufficient input sanitization and missing output escaping for user-supplied attributes allow authenticated users with contributor-level access and above to inject arbitrary scripts into pages. Those scripts will execute whenever a user views an affected page.
CVE Details
- CVE ID: CVE-2026-1573
- Affected component: OMIGO plugin for WordPress
- Affected versions: All versions up to and including 3.3 (as stated in the CVE entry)
- Published: February 7, 2026 at 9:16 AM UTC
- Last modified: February 7, 2026 at 9:16 AM UTC
- CVSS v3.1: Base Score 6.4, Severity MEDIUM, Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Attack vector / complexity / scope: Network / Low / Changed
- Authentication / privileges / user interaction: Requires an authenticated user; privileges required: Low (contributor-level access and above); user interaction: None
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- CWE / weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-site Scripting)
Technical Details
The vulnerability is a stored cross-site scripting (XSS) issue arising from insufficient input sanitization and missing output escaping of user-supplied attributes to the omigo_donate_button shortcode. According to the CVE description, this affects all versions up to and including 3.3.
Because the plugin inserts user-controlled attribute values into page output without proper sanitization/escaping, an authenticated attacker with contributor-level privileges (or higher) can supply payloads that are stored in post or page content. Those payloads are executed as scripts in the browser of any user who views the injected page.
The CVE entry does not name additional functions, REST endpoints, or specific file paths beyond the shortcode. No fixed version or remediation timeline is specified in the CVE entry.
How This Could Impact Your Website
Consider a site where multiple people contribute content: a site owner, internal staff (editors), and external contributors. An external contributor or an internal user with contributor-level access could add or edit a page or post that includes the vulnerable omigo_donate_button shortcode with crafted attributes. When other users, including site administrators or editors, visit that page, the injected script will run in their browsers.
Practical consequences, consistent with the CVSS impact ratings, include limited exposure of information available to script execution in the user’s browser (for example, visible user data on the page or data accessible to scripts in that context). This can increase the risk of targeted phishing or social engineering and could expose internal user email addresses if those are available to the injected page context.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
- Review and reduce unnecessary user roles; limit which accounts have contributor or higher privileges.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior, especially content edits from contributors.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.