UNKNOWN (0.0)
    Plugin

    Stored Cross-Site Scripting in Media Library Alt Text Editor Plugin via Shortcode

    Published Date: 3/7/2026
    CVE ID: CVE-2026-1820

    Summary

    The Media Library Alt Text Editor plugin for WordPress is vulnerable to stored cross-site scripting (XSS) due to insufficient input sanitization and output escaping in its shortcode function. This allows authenticated users with at least contributor-level access to inject malicious scripts into pages.

    Vulnerability Details

    The vulnerability resides in the 'bvmalt_sc_div_update_alt_text' shortcode of the Media Library Alt Text Editor plugin. This function fails to adequately sanitize user inputs and escape outputs, allowing an attacker to inject arbitrary scripts. When such a page with an injected script is accessed, the script runs in the context of the user's browser, potentially leading to various malicious activities such as session hijacking or defacement. This presents a notable security risk, particularly in environments where multiple users share administrative or editorial responsibilities. By leveraging this flaw, an attacker with contributor access may compromise the integrity and security of a WordPress site. Identified in version 1.0.0 and earlier, this vulnerability has underlined the necessity for robust input validation and output sanitization measures within plugins.

    Recommendations

    To mitigate this vulnerability, ensure all inputs are sanitized and outputs are properly escaped in WordPress plugins. Restrict user roles and privileges, allowing only trusted accounts to have contributor or higher-level access. Always backup your site regularly and monitor user activity for suspicious behavior.

    Available Fixes

    Last Updated: 3/10/2026
    Jedar

    Jedar for Digital Rights is a non-profit organization dedicated to protecting digital freedoms, enhancing online privacy, and promoting secure digital practices for vulnerable communities worldwide.

    Quick Links

    Contact

    Follow Us

    All Rights Reserved © 2026 Jedar for Digital Rights.

    Cookie Preferences

    We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

    Learn More