CVE-2026-1853 in BuddyHolis ListSearch Plugin
Summary
by MITRE • 02/11/2026
The BuddyHolis ListSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'listsearch' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/12/2026
The vulnerability identified as CVE-2026-1853 affects the BuddyHolis ListSearch plugin for WordPress, specifically targeting versions up to and including 1.1. This represents a critical security flaw that exploits the plugin's 'listsearch' shortcode implementation, creating a persistent cross-site scripting vector that can be leveraged by attackers with relatively low privileges. The vulnerability stems from inadequate input validation and output sanitization mechanisms within the plugin's codebase, allowing malicious actors to inject malicious scripts that execute in the context of victim users' browsers.
The technical implementation of this vulnerability occurs through the plugin's shortcode functionality where user-supplied attributes are not properly sanitized before being processed and rendered in web pages. When an authenticated user with contributor-level access or higher creates or modifies content using the listsearch shortcode, they can inject malicious JavaScript code through parameters that are then stored in the database. This stored script executes whenever any user accesses pages containing the vulnerable shortcode, making it a persistent threat that affects all visitors to affected WordPress installations. The flaw directly maps to CWE-79 which defines Cross-Site Scripting vulnerabilities as weaknesses that occur when an application incorporates untrusted data into web pages without proper validation or escaping.
The operational impact of this vulnerability is significant as it provides attackers with a means to execute arbitrary code in the browsers of unsuspecting users who access pages containing the malicious shortcode. This could enable session hijacking, credential theft, defacement of web pages, or redirection to malicious sites. The vulnerability's exploitation requires only contributor-level privileges, making it particularly dangerous as it can be leveraged by users who have legitimate access to WordPress content management functions but are not administrators. This creates a scenario where internal threats or compromised accounts can be weaponized to attack other users within the same WordPress installation. The attack vector aligns with ATT&CK technique T1566 which describes social engineering methods including the use of malicious content to gain initial access.
Mitigation strategies should prioritize immediate patching of the affected plugin to version 1.2 or later where the input sanitization and output escaping issues have been resolved. Administrators should also implement additional security measures including regular monitoring of user activities, particularly for contributors and editors who have access to shortcode functionality. Input validation should be strengthened at multiple layers including WordPress filters, plugin-specific sanitization routines, and output escaping mechanisms. The principle of least privilege should be enforced by restricting shortcode usage to administrators only where possible, and implementing content security policies to prevent script execution in web pages. Additionally, regular security audits of WordPress plugins and themes should be conducted to identify similar vulnerabilities that may exist in other third-party components of the web application stack.