{"id":"CVE-2026-5247","summary":"Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories \u003c= 4.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'wrapper' Shortcode Attribute","details":"The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the [futureaction] shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The plugin uses esc_html() to escape the value, but esc_html() only encodes HTML entities and does not prevent attribute injection when the value is used as an HTML tag name in a sprintf() call. An attacker can inject event handler attributes via spaces in the wrapper value. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Since it is also possible for administrators to make this functionality available to lower-privileged users, this introduces the possibility of abuse by contributors.","modified":"2026-07-15T01:49:14.409406062Z","published":"2026-05-05T02:26:56.378Z","database_specific":{"cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/5xxx/CVE-2026-5247.json","cna_assigner":"Wordfence"},"references":[{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/post-expirator/tags/4.9.4/src/Modules/Expirator/Controllers/ShortcodeController.php#L173"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/post-expirator/trunk/src/Modules/Expirator/Controllers/ShortcodeController.php#L173"},{"type":"WEB","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/9acf80aa-8354-4430-9836-18fa17854521?source=cve"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/5xxx/CVE-2026-5247.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-5247"},{"type":"PACKAGE","url":"https://github.com/publishpress/publishpress-future/releases"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/publishpress/publishpress-future","events":[{"introduced":"0"},{"last_affected":"90496d479b2983f0a6240b242d78e11a61fbcd4d"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"4.10.0"}],"source":"AFFECTED_FIELD"}}],"versions":["4.10.0","4.4.0","4.3.3","4.3.2","4.3.1","4.3.0","4.2.0","4.1.3","4.1.2","4.1.1","4.1.0","3.4.5-beta.1","3.4.1","3.4.0.1","3.4.0","3.3.1","3.3.0","3.2.0","3.1.7","3.1.6","3.1.5","3.1.4","3.1.3","3.1.2","3.1.1","3.1.0","3.0.6","3.0.5","v3.0.1","v3.0.0","v2.9.2","v2.9.1","v2.9.0","v2.8.3","v2.8.2","v2.8.1","v2.8.0","v2.7.8","v2.7.7","v2.7.5","2.7.4","v2.7.3","v2.7.2","v2.7.0","v2.7.1-rc.6","v2.7.1-rc.5","v2.7.1-rc.4","v2.7.1-rc.3","v2.7.1-rc.2","v2.7.1-rc.1","v2.6.3","v2.6.2","v2.6.1","v2.6.0","v2.5.1","v2.5.0","v2.4.4","v2.4.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-5247.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"}]}