Attack Vectors

CVE-2026-1886 affects the Go Night Pro | WordPress Dark Mode Plugin (slug: go-night-pro) in versions 1.1.0 and below. This is a Medium-severity issue (CVSS 6.4) that can be exploited by an authenticated user with Contributor-level access or higher.

The primary entry point is the plugin’s go-night-pro-shortcode shortcode. An attacker can place a malicious payload in the shortcode’s margin attribute, and because the content is stored, the injected script can execute later when any user visits the affected page or post.

This risk is most relevant on sites where multiple people can publish or contribute content (marketing teams, agencies, freelancers, partners), or where accounts are frequently created for campaigns and then not removed or tightly governed.

Security Weakness

The vulnerability is a Stored Cross-Site Scripting (Stored XSS) condition caused by insufficient input sanitization and output escaping of the user-supplied margin attribute used by the plugin’s shortcode.

Because the payload is stored in WordPress content and executed in visitors’ browsers, it can impact not only internal users but also customers and prospects who land on compromised pages. There is no known patch available at this time, which increases operational risk for organizations that continue running the affected plugin.

Given the lack of a vendor fix, organizations should evaluate mitigations based on risk tolerance. For many businesses, the safest option is to uninstall the affected software and replace it, especially on high-traffic marketing sites and any site handling user accounts, lead forms, or payment-related flows.

Technical or Business Impacts

Stored XSS can enable malicious in-browser actions that appear to come from your site. Depending on who visits an injected page and what permissions they have, potential impacts include: session and account compromise, unauthorized actions performed in an admin’s browser, content defacement, redirecting visitors to scams, or silently injecting additional malicious scripts.

From a business perspective, this can translate into brand damage (malicious pop-ups or redirects on campaign pages), loss of customer trust, reduced conversion rates, potential exposure of customer or employee data, and added incident response costs. If an admin or editor is affected, the attacker may be able to escalate the scope of the compromise by leveraging that user’s access to publish more malicious content or modify site settings.

With no patch available, leadership should treat this as an active risk decision: either accept the exposure with compensating controls (tight role management, reduced contributor access, stronger authentication, added monitoring and web filtering) or remove the plugin to eliminate the vulnerable component.

Similar Attacks

Script injection and browser-executed attacks have been used in real-world incidents to intercept user activity and steal data. Examples include:

British Airways “Magecart” attack (BBC) — malicious JavaScript used to skim payment data
Ticketmaster breach linked to third-party script compromise (BBC) — injected scripts used to harvest customer data

While these examples may involve different root causes than CVE-2026-1886, the business lesson is the same: when attackers can run JavaScript in users’ browsers under your brand, they can undermine trust, conversions, and compliance obligations quickly.