Attack Vectors

CVE-2026-1575 is a Medium-severity Stored Cross-Site Scripting (XSS) issue (CVSS 6.4) affecting the Schema Shortcode WordPress plugin (slug: schema-shortcode) in versions up to and including 1.0. The attack requires an authenticated WordPress account with Contributor-level access or higher.

An attacker who can create or edit content can inject malicious script into a page or post via the plugin’s itemscope shortcode attributes. Because it is stored, the script can execute later for anyone who views the affected page—potentially including customers, executives, or site administrators—without requiring them to click anything.

Reference: CVE-2026-1575 record and the published details from Wordfence Threat Intelligence.

Security Weakness

The vulnerability is caused by insufficient input sanitization and output escaping of user-supplied shortcode attributes in the plugin’s itemscope shortcode. In practical terms, the plugin does not adequately validate what gets saved and rendered, enabling injected scripts to be stored in WordPress content and executed in visitors’ browsers.

No known patch is currently available per the published advisory. Organizations should evaluate mitigations based on risk tolerance, including removing or replacing the plugin if it is not essential to business operations.

Technical or Business Impacts

Stored XSS can create business risk beyond “a website bug.” Depending on who views the injected content, outcomes may include session theft, account misuse, and unauthorized changes performed under a legitimate user’s browser session—especially if an administrator views an infected page.

For marketing and executive stakeholders, likely impacts include brand damage (defaced pages or unwanted pop-ups), loss of customer trust, potential lead diversion (tampered forms or redirects), and increased incident response costs. Compliance teams may also need to assess whether the incident triggers notification, logging, or third-party reporting obligations, depending on what data could be exposed through compromised sessions.

Risk-reduction options to consider until a fix exists include: uninstalling the affected plugin and selecting a maintained replacement; restricting Contributor permissions and limiting who can publish/edit pages that use shortcodes; reviewing existing content for unexpected itemscope shortcode usage; and increasing monitoring of content changes and administrator activity for signs of abuse.

Similar Attacks

Stored XSS has been used in real-world incidents to spread rapidly and hijack user sessions. Examples include the Samy worm on MySpace and the 2010 “onMouseOver” Twitter worm, both of which demonstrated how quickly injected scripts can propagate and impact brand trust when they execute in users’ browsers.