CVE-2026-1886 in Go Night Pro Plugin
Summary
by MITRE • 03/21/2026
The Go Night Pro | WordPress Dark Mode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'go-night-pro-shortcode' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on the user-supplied 'margin' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-1886 affects the Go Night Pro WordPress plugin, specifically targeting its dark mode functionality through the 'go-night-pro-shortcode' implementation. This security flaw exists in all versions up to and including 1.1.0, representing a critical concern for WordPress site administrators who rely on this plugin for their website's visual customization. The vulnerability manifests as a stored cross-site scripting attack vector that can be exploited by authenticated users possessing contributor-level privileges or higher, significantly expanding the potential attack surface beyond typical unauthenticated threats.
The technical root cause of this vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's shortcode processing logic. When users provide input through the 'margin' attribute parameter of the 'go-night-pro-shortcode', the plugin fails to properly validate or sanitize this user-supplied data before storing it within the WordPress database. This stored data is subsequently retrieved and displayed without appropriate escaping measures, creating an environment where malicious scripts can persist and execute. The vulnerability classifies under CWE-79 as a failure to escape output, specifically manifesting as a stored XSS attack that allows persistent script injection.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform various malicious activities through the compromised WordPress installation. An authenticated attacker with contributor privileges can inject persistent JavaScript code that executes whenever any user accesses pages containing the vulnerable shortcode. This persistent nature means that the malicious scripts will execute for all users who view affected pages, potentially leading to session hijacking, credential theft, data exfiltration, or further compromise of the WordPress installation. The attack requires minimal privileges, making it particularly dangerous as it can be exploited by users who should normally have limited administrative capabilities.
Security practitioners should immediately implement mitigations including updating to the latest version of the Go Night Pro plugin where the vulnerability has been patched, or implementing temporary workarounds such as restricting contributor-level user permissions or disabling the affected shortcode functionality. The ATT&CK framework categorizes this vulnerability under T1546.001 for 'Privilege Escalation' through 'System Scripting' and T1566.001 for 'Initial Access' through 'Phishing'. Organizations should also consider implementing Content Security Policy headers to provide additional defense-in-depth measures against XSS attacks. The vulnerability highlights the critical importance of input validation and output escaping in web applications, particularly in plugins that process user-generated content, as demonstrated by the NIST National Vulnerability Database's classification of this issue as a high-risk security flaw requiring immediate attention.