Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.4
WordPress TourCMS Plugin: Malicious Script Injection via Shortcode
CVE-2026-1806
Summary
An attacker with contributor-level access can inject malicious scripts into pages, which will be executed when users visit those pages. This affects all versions of the Tour & Activity Operator Plugin for TourCMS up to 1.7.0. Update to a fixed version to prevent this attack.
Original title
The Tour & Activity Operator Plugin for TourCMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'target' parameter of the tourcms_doc_link shortcode in all versions up to,...
Original description
The Tour & Activity Operator Plugin for TourCMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'target' parameter of the tourcms_doc_link shortcode in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
nvd CVSS3.1
6.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026