WordPress Plugin Vulnerabilities

Weaver Show Posts <= 1.8.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Additional Classes to Wrap Posts' Widget Setting

Description

The Weaver Show Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_class' parameter in all versions up to, and including, 1.8.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This primarily affects multisite installations where Administrators do not have the unfiltered_html capability.

Affects Plugins

Plugin icon
show-posts
No known fix

References

CVE
CVE-2026-2121
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e0d525ab-a86d-4750-9d16-731cbc0a626e

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Muqsith Barru
Verified
No
WPVDB ID
4675d71d-8c31-4204-8a70-8d15092518fb

Timeline

Publicly Published
2026-03-20 (about 1 month ago)
Added
2026-03-20 (about 1 month ago)
Last Updated
2026-05-07 (about 6 days ago)

Other

Published
Title
Published
2024-08-16
Title
Bravada < 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2014-12-01
Title
Wordfence 5.2.2 - XSS in Referer Header
Published
2025-09-03
Title
Event Feed for Eventbrite < 1.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-06-12
Title
Kama Click Counter < 4.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-01
Title
Design Blocks <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting