CVE-2026-1822 in WP NG Weather Plugin
Summary
by MITRE • 03/21/2026
The WP NG Weather plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ng-weather' shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/27/2026
The WP NG Weather plugin vulnerability represents a critical stored cross-site scripting flaw that undermines the security posture of WordPress installations. This weakness exists within the plugin's 'ng-weather' shortcode implementation and affects all versions up to and including 1.0.9, creating a persistent threat vector that can be exploited by attackers with contributor-level privileges or higher. The vulnerability stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or escape user-supplied attributes before processing them within the plugin's shortcode functionality. The flaw allows malicious actors to inject arbitrary web scripts that execute whenever legitimate users access pages containing the compromised shortcode, making it particularly dangerous due to its persistence and potential for widespread impact.
The technical exploitation of this vulnerability follows a well-established pattern that aligns with CWE-79, which specifically addresses cross-site scripting vulnerabilities. Attackers with contributor-level access can leverage this weakness to inject malicious payloads through the plugin's shortcode attributes, bypassing standard WordPress security controls. The stored nature of this XSS vulnerability means that the injected scripts are permanently embedded within the plugin's processing logic, ensuring that every subsequent page load triggers the malicious code execution. This persistent characteristic differentiates it from reflected XSS attacks and makes it particularly challenging to detect and remediate once exploited. The vulnerability operates at the application layer, affecting the plugin's shortcode processing mechanism and potentially compromising user sessions, stealing sensitive data, or redirecting users to malicious sites.
The operational impact of this vulnerability extends beyond simple script injection, creating significant risks for WordPress administrators and end users. Authenticated attackers with contributor privileges can craft malicious shortcodes that execute in the context of other users' browsers, potentially leading to session hijacking, data exfiltration, or privilege escalation within the WordPress environment. The attack surface is particularly concerning because contributors typically have the ability to create and edit posts and pages, making the exploitation vector readily available through normal content management workflows. This vulnerability can be leveraged to establish persistent backdoors, harvest user credentials, or deploy additional malware payloads. The impact is amplified by the fact that the vulnerability affects all versions up to 1.0.9, indicating a long-standing flaw that has remained unpatched, leaving numerous installations exposed to potential exploitation.
Mitigation strategies for this vulnerability must address both immediate remediation and long-term security improvements. The most critical step involves updating to the latest version of the WP NG Weather plugin where the XSS vulnerability has been patched, though organizations should verify that the update resolves the specific issue without introducing regressions. Implementing proper input validation and output escaping mechanisms should be prioritized, with developers ensuring that all user-supplied attributes are properly sanitized before being processed or rendered. Organizations should also consider implementing web application firewalls that can detect and block malicious payload injection attempts, along with regular security audits of plugin installations to identify similar vulnerabilities. The ATT&CK framework categorizes this type of vulnerability under T1566, which encompasses social engineering techniques, as the exploitation often relies on attackers gaining sufficient privileges to inject malicious content. Additionally, implementing principle of least privilege access controls can significantly reduce the risk of exploitation by limiting the ability of low-privilege users to inject malicious content into the system, thereby reducing the attack surface for such vulnerabilities.