CVE-2026-1575 in Schema Shortcode Plugin
Summary
by MITRE • 03/21/2026
The Schema Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `itemscope` shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/27/2026
The Schema Shortcode plugin for WordPress presents a critical security vulnerability classified as CVE-2026-1575, affecting all versions up to and including 1.0. This vulnerability manifests as a stored cross-site scripting flaw that specifically targets the plugin's `itemscope` shortcode functionality. The core issue stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase, creating a persistent security risk that can be exploited by authenticated attackers possessing contributor-level privileges or higher. The vulnerability represents a significant concern for WordPress administrators as it allows malicious actors to inject malicious scripts that execute in the context of victim users' browsers, potentially leading to unauthorized access to sensitive data or system compromise.
The technical flaw resides in how the plugin processes user-supplied attributes within the `itemscope` shortcode implementation. When attackers provide malicious input through shortcode parameters, the plugin fails to properly sanitize or escape these inputs before rendering them in the output HTML. This insufficient validation creates a persistent XSS vector where malicious scripts are stored within the plugin's data structures and executed whenever legitimate users access pages containing the compromised shortcode. The vulnerability's impact is amplified by the fact that it requires only contributor-level access, making it particularly dangerous as it can be exploited by users who typically have limited administrative privileges but can still modify content. This flaw aligns with CWE-79, which specifically addresses Cross-Site Scripting vulnerabilities, and demonstrates poor input validation practices that violate fundamental web security principles.
The operational impact of this vulnerability extends beyond simple script execution, potentially enabling attackers to perform session hijacking, data exfiltration, or further exploitation of the target system. When authenticated users access pages containing the malicious shortcode, their browsers execute the injected scripts, which could redirect them to phishing sites, steal cookies and session tokens, or even install malware. The stored nature of this vulnerability means that once the malicious payload is injected, it remains persistent and will continue to affect users until the plugin is updated or the malicious content is manually removed. This type of vulnerability can significantly undermine user trust in the website and potentially lead to regulatory compliance issues, particularly in environments where data protection and user privacy are paramount.
Mitigation strategies for CVE-2026-1575 should prioritize immediate plugin updates to versions that address the sanitization and escaping issues. System administrators should implement strict input validation measures and ensure that all user-supplied content is properly escaped before being rendered in web pages. The principle of least privilege should be enforced by limiting contributor-level access to only necessary functions and monitoring content modifications. Additionally, implementing Content Security Policy headers can provide an additional layer of protection against script execution, while regular security audits of plugins and themes can help identify similar vulnerabilities before they can be exploited. Organizations should also consider implementing web application firewalls and monitoring systems to detect and block suspicious shortcode usage patterns that may indicate attempted exploitation of this vulnerability.