– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-1915 (metadata-based):
This vulnerability is an authenticated Stored Cross-Site Scripting (XSS) flaw in the Simple Plyr WordPress plugin, version 0.0.1. The issue resides in the plugin’s ‘plyr’ shortcode handler, specifically in the processing of the ‘poster’ attribute. Attackers with Contributor-level or higher permissions can inject malicious scripts into posts or pages, which execute when a user views the compromised content. The CVSS score of 6.4 (Medium) reflects the need for authentication but the broad impact due to stored execution and scope change.

Atomic Edge research infers the root cause is insufficient input sanitization and output escaping for user-supplied shortcode attributes. The CWE-79 classification confirms a failure to neutralize input during web page generation. The vulnerability description states the ‘poster’ parameter is not properly sanitized before being rendered. Without code for review, this conclusion is based on the CWE pattern and the described attack vector. The plugin likely uses the `shortcode_atts()` function or similar to parse attributes but fails to apply `esc_attr()` or an equivalent escaping function when outputting the ‘poster’ attribute value within an HTML tag.

Exploitation requires an authenticated user with at least Contributor privileges. The attacker creates or edits a post, inserting the ‘[plyr]’ shortcode with a malicious ‘poster’ attribute. The payload is a JavaScript payload within the attribute value, such as `poster=”http://example.com/image.jpg” onerror=”alert(document.cookie)”`. When the post is saved and subsequently viewed by any user, the browser interprets the injected attribute as executable code. The attack vector is the WordPress post editor, and the payload is stored in the database.

Effective remediation requires implementing proper output escaping. The plugin should escape the ‘poster’ attribute value using WordPress core functions like `esc_attr()` or `esc_url()` before echoing it within an HTML element, likely an `` or `

The impact of successful exploitation is client-side code execution in the context of a victim’s browser session. Attackers can steal session cookies, perform actions on behalf of the user, deface websites, or redirect users to malicious sites. Since the payload is stored, a single injection can affect all visitors to the compromised page. The scope change (S:C in CVSS) indicates the vulnerability can affect components beyond the plugin’s own security scope, potentially impacting the entire WordPress site.