WordPress Security Bulletin: Simple Plyr Plugin Vulnerability (CVE-2026-1915)

On this page

Security Alert Summary

The Simple Plyr plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the poster parameter of the plyr shortcode. Insufficient input sanitization and output escaping for user-supplied attributes allows authenticated users with Contributor-level access and above to inject scripts that execute when an affected page is viewed.


CVE Details

  • CVE ID: CVE-2026-1915
  • Affected component: Simple Plyr plugin for WordPress
  • Affected versions: All versions up to and including 0.0.1
  • Published: February 14, 2026 at 7:16:11 AM
  • Last modified: February 14, 2026 at 7:16:11 AM
  • CVSS v3.1 base score: 6.4 (MEDIUM)
  • CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / Privileges: Authenticated attacker required; description specifies Contributor-level access and above. CVSS privileges required: LOW.
  • User interaction: NONE (no user interaction required for exploit to occur once malicious content is present)
  • Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
  • CWE / weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation)
  • Fixed version: Not specified in the CVE entry.

Technical Details

This vulnerability is a stored cross-site scripting issue resulting from insufficient sanitization and escaping of user-supplied attributes on the plyr shortcode. Specifically, the poster parameter can contain data that is stored and later rendered in pages without proper input validation or output encoding. Because the content is stored and served in page output, injected scripts execute in the context of users who view the affected page.

The CVE description identifies the vector as the poster attribute of the plyr shortcode; no additional functions or endpoints are named in the CVE entry. The impact is limited to the consequences of stored XSS: execution of arbitrary script in the browser of users who load the injected page.


How This Could Impact Your Website

In a typical small organization, an external contributor or an internal staff member with Contributor-level access could add or edit content that includes a malicious poster value via the plugin’s shortcode. When other users—such as site editors, administrators, or regular visitors—view the page, the injected script would run in their browsers. Practical consequences include disclosure of user-specific data available to the browser (for example, session tokens or profile information accessible in the page context) and the potential for targeted phishing or social engineering against staff whose email addresses or names are exposed elsewhere on the site.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available. (No fixed version is specified in the CVE entry.)
  • Review and reduce unnecessary user roles, especially Contributors and accounts with upload or content-creation privileges.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and page content for unusual changes or unexpected script tags in stored content.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References