CVE-2026-2121 in Weaver Show Posts Plugin
Summary
by MITRE • 03/21/2026
The Weaver Show Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_class' parameter in all versions up to, and including, 1.8.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This primarily affects multisite installations where Administrators do not have the unfiltered_html capability.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-2121 resides within the Weaver Show Posts plugin for WordPress, a widely used tool for displaying custom post types and content. This issue represents a critical security flaw that allows for stored cross-site scripting attacks, making it particularly dangerous in multi-user environments where administrative privileges can be leveraged for malicious purposes. The vulnerability affects all versions up to and including 1.8.1, indicating a long-standing flaw that has remained unpatched for an extended period.
The technical root cause of this vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's handling of the 'add_class' parameter. This parameter is designed to accept user-supplied attributes for CSS class modifications, but the plugin fails to properly validate or escape these inputs before processing them. The flaw falls under CWE-79 which specifically addresses Cross-Site Scripting vulnerabilities, where insufficient sanitization of user inputs allows malicious code to be stored and subsequently executed. The vulnerability is classified as a stored XSS because the malicious scripts are persisted within the application's database rather than being reflected in a single request.
The operational impact of this vulnerability is severe, particularly in multisite WordPress installations where the attack vector becomes more pronounced. Attackers with Administrator-level access or higher can inject arbitrary web scripts that will execute whenever any user accesses the affected pages. This creates a persistent threat that can compromise user sessions, steal sensitive information, or redirect users to malicious websites. The vulnerability is especially concerning in environments where administrators do not possess the unfiltered_html capability, as this limitation typically prevents direct HTML injection but the stored XSS vulnerability circumvents these protections. The attack requires only administrative privileges, making it accessible to insiders or compromised administrator accounts.
Mitigation strategies for this vulnerability should include immediate patching of the Weaver Show Posts plugin to the latest version where the XSS flaw has been addressed. Organizations should also implement additional security measures such as regular security audits of installed plugins, monitoring for unauthorized administrative access, and implementing proper input validation at multiple layers. The principle of least privilege should be enforced to minimize the potential damage from compromised accounts, and regular security training should be provided to administrators. Network-based solutions such as web application firewalls can provide additional protection layers, though they should not be relied upon as the sole defense mechanism. The vulnerability highlights the importance of proper security practices in WordPress plugin development and the necessity for regular security assessments of third-party components. Organizations should also consider implementing automated vulnerability scanning tools that can detect such issues before they can be exploited in production environments.