CVE-2026-5341

Name of the Vulnerable Software and Affected Versions NMR Strava activities plugin for WordPress versions prior to 1.0.15

Description Insufficient input sanitization and output escaping on user supplied attributes in the strava nmr connect shortcode allow authenticated attackers with contributor-level access and above to inject arbitrary web scripts. These scripts execute whenever a user accesses a page containing the injected content. This is a Stored Cross-Site Scripting issue, where malicious scripts are permanently stored on the target server.

Recommendations Update the plugin to a version later than 1.0.14. As a temporary workaround, restrict the use of the strava nmr connect shortcode to trusted users with higher privilege levels.