Attack Vectors

CVE-2026-1806 is a Medium severity stored cross-site scripting (XSS) issue (CVSS 6.4) affecting the Tour & Activity Operator Plugin for TourCMS (WordPress slug: tour-operator-plugin) in versions <= 1.7.0. The vulnerability is reachable over the network and can be exploited by an authenticated user with Contributor-level access or higher.

The attack occurs when an attacker places a malicious payload in the target attribute of the tourcms_doc_link shortcode. Because the plugin does not adequately sanitize input or escape output for that attribute, the injected script can be stored in WordPress content and then executed in the browser when others view the affected page.

This matters operationally because Contributor accounts are common in marketing workflows (content authors, agencies, interns). If one of those accounts is compromised (password reuse, phishing, shared credentials), the attacker can weaponize normal content publishing permissions to persist malicious code on customer-facing pages.

Security Weakness

The core weakness is insufficient input sanitization and output escaping for the target parameter in the tourcms_doc_link shortcode. This is a classic pathway to stored XSS: untrusted input is accepted, saved, and later rendered to site visitors without proper safety controls.

Because the vulnerability is stored, the payload can execute repeatedly—affecting every visitor to the compromised page—until it is identified and removed. This increases business risk compared to “reflected” issues, which typically require a victim to click a crafted link.

There is currently no known patch available for affected versions up to and including 1.7.0, which shifts the decision from “apply an update” to “mitigate or replace” based on your organization’s risk tolerance and exposure.

Technical or Business Impacts

If exploited, stored XSS in the Tour & Activity Operator Plugin for TourCMS can lead to customer-impacting and brand-impacting outcomes, including: defacement of key landing pages, malicious redirects, fake booking or payment prompts, and the insertion of tracking scripts that collect sensitive information entered by users.

From a leadership and compliance perspective, the most common business impacts include loss of customer trust, reduced conversion rates (due to browser warnings or suspicious behavior), potential regulatory exposure if customer data is harvested, and incident response costs (forensics, cleanup, communications, and possibly legal counsel).

Given that there is no known patch, practical mitigations often include: removing or replacing the plugin, minimizing the number of users with Contributor+ roles, tightening editorial workflows (who can publish pages containing shortcodes), and monitoring for unexpected changes in pages that use tourcms_doc_link. Your security team can also prioritize detection for suspicious shortcode usage and review published content for unexpected target attribute values.

Similar Attacks

Stored XSS has been repeatedly used in real-world WordPress and web ecosystem attacks because it enables persistent, invisible manipulation of pages that customers trust. Examples include:

CVE-2017-5487 (WordPress Core) – Stored XSS via comments

CVE-2019-9978 (Social Warfare plugin) – Stored XSS

CVE-2020-25213 (WordPress Core) – Stored XSS

For reference on this specific issue, see the official CVE entry: CVE-2026-1806.