Attack Vectors

Product: Outgrow (WordPress plugin, slug: outgrow)

Vulnerability: CVE-2026-1889 (Severity: Medium, CVSS 6.4; Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) affecting Outgrow versions up to and including 2.1.

This issue can be exploited by an authenticated user with at least Contributor access (or higher). The attacker can place a malicious payload into the id attribute of the [outgrow] shortcode, typically within a post or page they are allowed to edit.

Because it is a stored cross-site scripting (XSS) issue, the injected code can execute later for others who view the affected page—potentially including staff, executives, customers, or partners—without needing them to click anything unusual.

Security Weakness

The Outgrow plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping for user-supplied attributes in the [outgrow] shortcode, specifically the id attribute.

In practical terms, this means content created by a lower-privileged, authenticated account (Contributor+) can embed script content that is later rendered in the browser of anyone viewing the page, crossing trust boundaries between “content creation” and “site behavior.”

Reference: CVE-2026-1889 record and the published write-up from Wordfence Threat Intelligence.

Patch status: There is currently no known patch available. Organizations should apply mitigations based on risk tolerance; for many businesses, the most risk-reducing option may be to uninstall the affected plugin and replace it.

Technical or Business Impacts

Brand and customer trust risk: If malicious scripts run on campaign or landing pages, visitors may be redirected, shown altered content, or have interactions manipulated—damaging brand credibility and conversion performance.

Data and compliance exposure: While this CVE is scored with limited confidentiality/integrity impact, stored XSS can still enable theft of session-related data in some scenarios, unauthorized actions performed in a victim’s browser context, or collection of sensitive information entered into forms—creating potential privacy, contractual, or regulatory concerns depending on what pages are affected and who views them.

Operational and revenue impact: Marketing sites and microsites are often high-traffic and time-sensitive. A successful injection can disrupt lead generation, contaminate analytics signals, and create incident response costs (content audits, page takedowns, stakeholder communications, and potential legal review).

Risk amplifiers to consider: The risk increases if many people have Contributor access, if content approvals are informal, if pages using the [outgrow] shortcode are public-facing, or if administrators frequently view those pages while logged in.

Similar Attacks

CVE-2019-8942 (WordPress core) — an example of how stored XSS issues in widely deployed CMS components can become high-impact due to the number of affected sites and the trust users place in normal content workflows.

CVE-2020-11022 (jQuery) — a well-known XSS-related vulnerability in a common web library, illustrating how browser-executed script injection can cascade into broader business risk when embedded across many pages and applications.