CVE-2026-1893 in Orbisius Random Name Generator Plugin
Summary
by MITRE • 02/11/2026
The Orbisius Random Name Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btn_label' parameter in the 'orbisius_random_name_generator' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/12/2026
The vulnerability identified as CVE-2026-1893 affects the Orbisius Random Name Generator WordPress plugin, specifically targeting versions up to and including 1.0.2. This represents a critical security flaw that exploits a stored cross-site scripting vulnerability within the plugin's shortcode functionality. The vulnerability stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or encode user-supplied data before it is processed and rendered within web pages. The affected parameter 'btn_label' within the 'orbisius_random_name_generator' shortcode creates an attack vector that allows malicious actors to inject persistent malicious scripts into the plugin's output.
The technical exploitation of this vulnerability occurs through the manipulation of the 'btn_label' parameter which is used within the shortcode implementation. When an authenticated attacker with Contributor-level privileges or higher submits a malicious payload through this parameter, the insufficient validation allows the script to be stored within the plugin's data handling mechanism. This stored script then executes whenever any user accesses a page containing the vulnerable shortcode, making it a persistent threat that can affect multiple users without requiring repeated exploitation attempts. The vulnerability specifically targets the output rendering process where user input is directly embedded into HTML without proper sanitization, creating a classic stored XSS scenario.
From an operational perspective, this vulnerability poses significant risks to WordPress installations that utilize the affected plugin. The requirement for Contributor-level access or higher means that attackers who have gained administrative privileges or compromised user accounts with sufficient permissions can leverage this vulnerability to execute arbitrary code within users' browsers. This could enable attackers to steal session cookies, perform actions on behalf of users, redirect users to malicious sites, or harvest sensitive information from the targeted environment. The impact extends beyond individual user sessions as the stored nature of the vulnerability means that any user who accesses a page containing the injected script becomes a potential victim of the attack.
Security practitioners should implement immediate mitigation strategies focusing on input validation and output escaping mechanisms. The primary recommendation involves upgrading to the latest version of the Orbisius Random Name Generator plugin where the vulnerability has been addressed through proper sanitization of input parameters and implementation of appropriate output escaping. Additionally, administrators should consider implementing web application firewalls that can detect and block suspicious script injections targeting known XSS patterns. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a clear violation of the principle of least privilege as it allows authenticated users to escalate their privileges through script injection techniques. Organizations should also consider implementing content security policies to further protect against script execution in compromised environments, aligning with ATT&CK technique T1059.001 for command and scripting interpreter usage. The remediation process should include thorough auditing of all plugin parameters and input handling mechanisms to prevent similar vulnerabilities from existing in other components of the WordPress ecosystem.