CVE-2026-7662: ePaperFlip Publisher WordPress Plugin Stored XSS Vulnerability
The ePaperFlip Publisher plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users with Contributor-level permissions or higher to inject malicious scripts into pages. When other users view those pages, the injected scripts execute in their browsers, potentially compromising their accounts or stealing sensitive information. The vulnerability affects all versions up to and including version 1 and stems from the plugin failing to properly filter and escape user input in the 'publicationid' shortcode attribute before inserting it into JavaScript code.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
The ePaperFlip Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'publicationid' attribute of the `epaperflip_embed` shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on the shortcode attribute which is injected directly into inline JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-7662 is a stored XSS flaw in the ePaperFlip Publisher WordPress plugin affecting versions up to 1.x. The vulnerability exists in the `epaperflip_embed` shortcode handler, specifically the 'publicationid' attribute parameter. The plugin insufficiently sanitizes this attribute and directly concatenates it into inline JavaScript without proper escaping, creating a code injection point. An authenticated attacker with Contributor or Editor privileges can craft a malicious shortcode containing JavaScript payload, store it in a post or page, and the payload executes in the browsers of any user viewing that content. This is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).
Business impact
Compromise of site visitor accounts and data is the primary risk. Attackers with Contributor access can inject keyloggers, credential-stealing scripts, or redirect users to phishing sites, affecting site reputation and user trust. For multi-author or agency WordPress installations where Contributor accounts are distributed, this creates a meaningful lateral movement and persistence vector. The attack surface extends to all pages containing the vulnerable shortcode, multiplying potential victim exposure.
Affected systems
ePaperFlip Publisher plugin for WordPress, all versions up to and including 1. The vulnerability requires an authenticated attacker with at minimum Contributor-level role, which is a standard WordPress role granted to authors and above. Any WordPress site running this plugin with contributors or higher-privilege users is in scope.
Exploitability
Exploitability is moderate in a layered sense. An attacker must first obtain Contributor or Editor credentials, either through compromise or by being a legitimate site contributor. No network interaction or user action beyond page viewing is required for payload execution—the script fires automatically when the page loads. However, the authentication requirement prevents mass remote exploitation of unrelated sites. Internal threats and compromised contributor accounts present the most realistic attack vector.
Remediation
Update the ePaperFlip Publisher plugin to a patched version as soon as available from the plugin repository. Until a patch is released, restrict Contributor-level access to only trusted users, disable the plugin if not actively in use, or remove any existing posts or pages using the `epaperflip_embed` shortcode. Review user roles and audit recent edits to pages containing the shortcode for signs of malicious modification.
Patch guidance
Monitor the official WordPress plugin repository and the ePaperFlip Publisher vendor website for a security update addressing this vulnerability. When available, update immediately through the WordPress dashboard Plugins > Updates interface. Before updating, back up your site. After patching, verify that all shortcodes render correctly and audit pages for any existing malicious payloads that may have been injected prior to the update. Consider scanning post and page content for suspicious JavaScript patterns if you suspect exploitation occurred.
Detection guidance
Inspect WordPress posts and pages for `epaperflip_embed` shortcodes with suspicious or unusual 'publicationid' parameter values, especially those containing script tags, event handlers, or obfuscated code. Review the WordPress revision history and user edit logs for any unexpected changes to pages containing these shortcodes. Monitor browser console warnings for failed or suspicious script loads on pages using the plugin. Use WordPress security plugins with shortcode scanning capabilities to flag potentially malicious attributes automatically.
Why prioritize this
Although this is a MEDIUM-severity vulnerability (CVSS 6.4), prioritization depends on your contributor user base. Organizations with minimal Contributor accounts or tight access controls should address this in standard maintenance windows. Agencies, multi-author publishers, or sites with large contributor communities should treat this more urgently, as the attack surface is wider and the barrier to exploitation lower. The stored nature of the XSS means the damage persists until remediated, affecting repeat visitors indefinitely.
Risk score, explained
CVSS 6.4 reflects moderate risk: the vulnerability requires authenticated access (reducing likelihood of mass exploitation), affects confidentiality and integrity of user sessions (not availability), and has a network-based attack vector with low complexity once credentials are obtained. The 'S:C' (Scope Changed) component elevates the score because the payload impacts users beyond the attacker's immediate scope. It is not critical, but material enough to warrant prompt patching in most organizations.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. The vulnerability requires at minimum Contributor-level authentication in WordPress. Unauthenticated users cannot inject malicious shortcodes. However, if a contributor account is compromised, the vulnerability becomes exploitable.
Will updating WordPress alone fix this issue?
No. This is a plugin-specific vulnerability. Updating WordPress will not patch ePaperFlip Publisher. You must update the plugin itself through the Plugins menu or by downloading the latest version from the WordPress plugin repository.
How can I tell if my site has been compromised by this vulnerability?
Review the revision history of posts and pages using the epaperflip_embed shortcode for unexpected edits. Inspect the shortcode attributes in the page source for suspicious content. If your site's analytics show unusual traffic or users report unexpected redirects, investigate further. Consider scanning with a WordPress security plugin.
If I don't use the epaperflip_embed shortcode, am I affected?
No. If you do not use the ePaperFlip Publisher plugin or do not use the vulnerable shortcode in any posts or pages, this CVE does not pose a direct risk to your site. However, it is still prudent to keep all plugins updated as a general security practice.
This analysis is based on publicly available vulnerability data as of the publication date and is provided for informational purposes. SEC.co makes no warranty as to the accuracy, completeness, or timeliness of this information. Exploit details and proof-of-concept code are not provided herein. Organizations should verify patch availability and compatibility with their specific WordPress configurations before deploying updates. This document does not constitute legal, compliance, or professional security advice; consult your internal security team or a qualified security vendor for guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2021-47982MEDIUMWP-Paginate 2.1.3 Stored XSS in Plugin Settings