Platform
wordpress
Component
ibtana-visual-editor
Fixed in
1.2.6
CVE-2026-1834 is a stored Cross-Site Scripting (XSS) vulnerability found in the Ibtana – WordPress Website Builder plugin. This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the injected page, potentially leading to account compromise or other malicious activities. The vulnerability affects versions up to and including 1.2.5.7 of the Ibtana plugin and has been fixed in version 1.2.5.8.
CVE-2026-1834 in the Ibtana – WordPress Website Builder plugin introduces a Stored Cross-Site Scripting (XSS) vulnerability. An authenticated attacker, possessing contributor-level access or higher, can inject malicious JavaScript code into web pages via the plugin's 'ive' shortcode. When other users access these pages, the injected script executes within their browsers, potentially allowing the attacker to steal cookies, redirect users to malicious websites, or perform other actions on their behalf. The root cause lies in insufficient input sanitization and output escaping of user-supplied attributes within the 'ive' shortcode. This vulnerability poses a significant risk to website security and user data integrity.
An attacker with contributor-level access or higher on a website utilizing the Ibtana plugin can exploit this vulnerability. The attacker can inject malicious JavaScript code through the 'ive' shortcode. This code will be stored in the database and executed each time a user visits the affected page. Exploitation is relatively straightforward if the attacker has the required privileges. The lack of input validation within the plugin facilitates the injection of malicious code. This vulnerability affects all plugin versions prior to 1.2.5.8.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for this vulnerability is to update the Ibtana – WordPress Website Builder plugin to version 1.2.5.8 or later. This update incorporates necessary fixes to properly sanitize and escape user inputs, preventing the injection of malicious code. Prior to updating, it is strongly advised to create a full backup of your website. Furthermore, review existing pages utilizing the 'ive' shortcode to ensure no malicious code has been previously injected. Regularly updating plugins is a crucial security best practice for any WordPress website.
Update to version 1.2.5.8, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into websites viewed by other users.
It means the attacker has a level of access to the WordPress site that allows them to create and edit content, but not necessarily full administrative access.
If you are using a version of the Ibtana plugin prior to 1.2.5.8, your site is vulnerable. Update immediately.
Change all passwords related to the website, including the database, WordPress admin, and any user accounts. Perform a comprehensive security scan of the site.
Several vulnerability scanning tools can help detect XSS, both free and paid.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.