Attack Vectors

Simple Football Scoreboard (slug: simple-football-score-board) versions 1.0 and below have a Medium-severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 6.4) tracked as CVE-2026-1891.

The attack requires an authenticated WordPress account with Contributor-level permissions or higher. An attacker can place a malicious payload inside attributes of the ytmr_fb_scoreboard shortcode. Because it is a stored issue, the injected script can run later for anyone who loads the affected page—often including editors, administrators, and site visitors—without needing them to click anything specific.

Practical risk scenarios include: allowing external writers, agencies, interns, partners, or compromised contributor accounts to publish or submit content that contains the shortcode; or workflows where contributor submissions are later approved and published by an editor, unintentionally promoting the injected content to public pages.

Security Weakness

The vulnerability is caused by insufficient input sanitization and output escaping of user-supplied shortcode attributes in Simple Football Scoreboard (up to and including version 1.0). This weakness enables stored JavaScript injection via the ytmr_fb_scoreboard shortcode, making the malicious code persist in WordPress content and execute when the page is rendered.

At the time of writing, the published advisory notes no known patch is available. That elevates the business decision from “patch quickly” to “mitigate and reduce exposure,” including evaluating whether continued use is acceptable given your organization’s risk tolerance.

Technical or Business Impacts

Stored XSS commonly turns a content-management permission into a broader security event. With this issue, a single compromised or malicious Contributor+ account could inject scripts that impact executives, site admins, and customers.

Business impacts to consider include:

Brand and campaign risk: attackers can alter what users see on key landing pages, inject fake promos, or redirect traffic—hurting conversion rates, trust, and paid media ROI.

Account compromise and fraud enablement: malicious scripts can be used to steal session data or perform actions in a victim’s browser, potentially leading to unauthorized changes, new admin creation, or tampering with marketing assets.

Data exposure and compliance concerns: injected scripts may capture form entries or user interactions, creating potential privacy and regulatory implications depending on what data your site collects.

Operational disruption: incident response time, emergency content freezes, and stakeholder communications can delay launches and reporting cycles. With no known patch, ongoing monitoring and compensating controls may become a standing cost.

Recommended risk-based response: if the plugin is not business-critical, the safest option may be to uninstall Simple Football Scoreboard and replace it with an alternative that is actively maintained. If it must remain in place temporarily, reduce exposure by limiting who can create/edit posts containing shortcodes, reviewing contributor content before publishing, and monitoring for unexpected shortcode usage—especially on high-value pages.

Similar Attacks

Stored XSS in WordPress plugins is a common pattern because shortcodes and content fields are frequently used by multiple roles across marketing and editorial teams. Examples of real-world Stored XSS/plugin-related incidents include:

Elementor Website Builder vulnerability coverage (Wordfence)

WordPress XSS attack campaign analysis (Wordfence)

Example campaign exploiting a WordPress plugin zero-day (Wordfence)