Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.4
Ravelry Designs Widget plugin for WordPress: Malicious Script Injection via Shortcode Attribute
CVE-2026-1903
Summary
The Ravelry Designs Widget plugin for WordPress is vulnerable to a security risk. An attacker with contributor-level access or higher can inject malicious scripts into pages, which can be executed when users visit those pages. To fix this, update the plugin to a version newer than 1.0.0.
Original title
The Ravelry Designs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'layout' attribute of the 'sb_ravelry_designs' shortcode in all versions up to, and including, 1...
Original description
The Ravelry Designs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'layout' attribute of the 'sb_ravelry_designs' shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
nvd CVSS3.1
6.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://plugins.svn.wordpress.org/ravelry-designs-widget/trunk/ravelry-designs-w...
- https://plugins.trac.wordpress.org/browser/ravelry-designs-widget/tags/1.0.0/rav...
- https://plugins.trac.wordpress.org/browser/ravelry-designs-widget/trunk/ravelry-...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6290559d-5902-455c-bc3...
Published: 14 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026