EUVD-2026-14146
GHSA-2rgw-rqcx-h77r
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Description
The Show Posts list - Easy designs, filters and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_type' shortcode attribute in the 'swiftpost-list' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Analysis
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Show Posts List plugin for WordPress (versions up to 1.1.0) affecting the 'swiftpost-list' shortcode's 'post_type' attribute due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level privileges or higher can inject arbitrary JavaScript code into pages, which executes whenever any user views the compromised page. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running all and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today