CVE-2026-1891 in Simple Football Scoreboard Plugin
Summary
by MITRE • 03/21/2026
The Simple Football Scoreboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ytmr_fb_scoreboard' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The Simple Football Scoreboard plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2026-1891 affecting all versions up to and including 1.0. This vulnerability resides within the 'ytmr_fb_scoreboard' shortcode implementation where the plugin fails to properly sanitize user-supplied input parameters and adequately escape output rendering. The flaw represents a classic stored XSS vector that allows authenticated attackers with contributor-level privileges or higher to inject malicious scripts into the plugin's shortcode attributes. The vulnerability stems from inadequate input validation mechanisms that permit malicious payloads to be stored within the WordPress database and subsequently executed whenever affected pages are accessed by other users. This creates a persistent threat where compromised pages can serve as attack vectors for further exploitation.
The technical exploitation of this vulnerability follows established patterns documented in CWE-79, which classifies cross-site scripting as a weakness in input validation and output escaping. Attackers can leverage this vulnerability by crafting malicious shortcode parameters containing JavaScript payloads that get stored in the database and executed in the context of other users' browsers. The impact extends beyond simple script execution to potentially enable session hijacking, credential theft, or redirection to malicious sites. The vulnerability's severity is amplified by the fact that it requires only contributor-level access, which is a relatively low privilege level in WordPress, making it accessible to users who can create and edit posts. This privilege level typically allows users to add content to the site, making the attack surface broader than might initially be expected.
The operational implications of this vulnerability are significant for WordPress administrators and site owners who rely on the Simple Football Scoreboard plugin. Once exploited, the stored XSS can compromise user sessions and potentially escalate to full site compromise if attackers can leverage the executed scripts to perform additional malicious activities. The vulnerability affects all versions up to 1.0, indicating that the plugin developers failed to implement proper security measures during the development lifecycle. This represents a failure in the secure coding practices that should be enforced according to industry standards such as those outlined in the OWASP Top Ten and NIST cybersecurity frameworks. The attack vector aligns with ATT&CK technique T1566.001 for credential access through social engineering and T1059.001 for command and scripting interpreter execution, as the XSS allows for arbitrary code execution within user contexts.
Mitigation strategies should focus on immediate patching of the vulnerable plugin to version 1.1 or later where the sanitization and escaping issues have been addressed. Administrators should also implement additional security measures including role-based access controls to limit contributor privileges where possible, and regular security audits of installed plugins. The WordPress core security team recommends monitoring for suspicious shortcode usage and implementing content security policies to limit script execution. Additionally, administrators should consider implementing web application firewalls to detect and block malicious payloads attempting to exploit this vulnerability. Regular security updates and vulnerability assessments should be part of the ongoing security posture to prevent similar issues in the future. The vulnerability highlights the importance of input validation and output escaping as fundamental security practices that must be implemented throughout the software development lifecycle to prevent such persistent threats from being introduced into production systems.