Security Alert Summary
The Wikiloops Track Player plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in its wikiloops shortcode. Insufficient input sanitization and output escaping of user-supplied shortcode attributes allow authenticated users with contributor-level access or higher to inject scripts into pages that execute when those pages are viewed.
CVE Details
- CVE ID: CVE-2026-1611
- Affected component: Wikiloops Track Player plugin for WordPress
- Affected versions: All versions up to and including 1.0.1
- Published: February 7, 2026 at 9:16 AM UTC
- Last modified: February 7, 2026 at 9:16 AM UTC
- CVSS v3.1: Base Score 6.4, MEDIUM — Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Authentication / Privileges / User Interaction: Requires low privileges (authenticated user, contributor-level or higher). No user interaction required.
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- Weakness (CWE): CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-site Scripting)
Technical Details
The vulnerability is a stored cross-site scripting (XSS) issue originating from insufficient input sanitization and output escaping of user-supplied attributes passed to the plugin’s wikiloops shortcode. Because the shortcode accepts attributes from authenticated users and those values are rendered into pages without adequate filtering or escaping, an authenticated attacker with contributor-level access or above can inject arbitrary JavaScript into a page. The injected script is stored by the plugin and will execute in the browser of any user who visits the affected page.
The CVE description does not name specific PHP functions, hooks, or REST API endpoints involved, and does not specify a fixed or patched plugin version.
How This Could Impact Your Website
Consider a site with a site owner, several internal staff members (editors and authors), and external contributors. If a contributor injects a script through the vulnerable shortcode, any user who views the infected page could have that script executed in their browser. Practical consequences consistent with the reported impacts include:
- Exposure of limited confidential data (for example, user profile fields such as email addresses visible on a page) consistent with the CVSS confidentiality impact being rated as low.
- Unauthorized modification of page content or insertion of misleading content visible to visitors, reflecting the integrity impact.
- Increased risk of targeted phishing or social engineering against staff or contributors if email addresses or role information are accessible from infected pages.
The vulnerability does not indicate an availability impact and does not imply complete site takeover based on the information in the CVE entry. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles and permissions, especially contributor-level accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and logs for unusual behavior, suspicious edits, or unexpected shortcode usage.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.