Ultimate Post WordPress Plugin Stored Cross-Site Scripting Vulnerability
The Ultimate Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'moreResultsText' block attribute of the ultimate-post/advanced-search block in versions up to and including 5.0.31. This is due to insufficient input sanitization and output escaping in the Advanced_Search::content() render callback: the attribute value is filtered with wp_kses(), which strips disallowed HTML tags but does NOT escape HTML special characters such as double quotes in plain text, and the result is then concatenated directly into the data-viewmoretext HTML attribute without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Quick answer
Ultimate Post should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Ultimate Post up to and including 5.0.31
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
Ultimate Post is affected by CVE-2026-13253. Vulnerable versions up to 5.0.31 allow stored cross-site scripting: contributor-level users can inject stored script through the moreResultsText block attribute. Patch or disable the plugin, then clean stored content and review administrator sessions.
- Inventory all WordPress sites using Ultimate Post.
- Update Ultimate Post beyond 5.0.31 when a vendor-fixed release is available.
- Disable the plugin temporarily if patching is delayed and the affected workflow is reachable.
- Review shortcode attributes, form submissions, merge fields, blocks, and plugin records for stored script payloads.
- Remove malicious content and purge WordPress, object, page, and CDN caches.
- Apply a Content Security Policy where compatible to reduce XSS impact.
- Review administrator sessions and reset credentials if privileged users interacted with injected content.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Ultimate Post is no longer running version 5.0.31 or older.
- Submit harmless script-like input in staging and confirm it is rejected or escaped on output.
- Open affected pages or admin lookup flows and confirm no stored script executes.
- Review rendered HTML for unsafe unescaped plugin attributes.
- Run a Fixnx scan and verify public WordPress exposure after cleanup.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-13253?
Ultimate Post versions listed as affected should be reviewed: Ultimate Post up to and including 5.0.31.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
