CVE-2026-5247

Name of the Vulnerable Software and Affected Versions Schedule Post Changes With PublishPress Future versions prior to 4.10.1

Description Stored Cross-Site Scripting occurs due to insufficient input sanitization of the wrapper attribute within the [futureaction] shortcode. The plugin utilizes the esc html() function, which encodes HTML entities but fails to prevent attribute injection when the value is used as an HTML tag name in a sprintf() call. This allows authenticated attackers with administrator-level access, or contributors if granted permission, to inject event handler attributes via spaces in the wrapper value. Consequently, arbitrary web scripts can be injected into pages and executed when a user accesses them.

Recommendations Update to a version later than 4.10.0. As a temporary workaround, restrict the use of the wrapper attribute in the [futureaction] shortcode to trusted administrators only.