Medium

Reflected XSS in Shield Security WordPress Plugin message Parameter

IdentifiersCVE-2026-0561CWE-79· Improper Neutralization of Input…

The Shield Security plugin for WordPress is vulnerable to reflected cross-site scripting (XSS) via the 'message' parameter in all versions up to and including 21.0.8. The issue is caused by insufficient input sanitization and output escaping of attacker-controlled input before it is reflected into a web page. An unauthenticated attacker can craft a malicious request or link containing arbitrary script payloads in the 'message' parameter; if a victim visits the crafted URL or otherwise triggers the affected page, the injected script executes in the victim’s browser within the security context of the target WordPress site.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary JavaScript execution in the victim’s browser in the context of the affected WordPress site. This can enable session hijacking, credential theft, phishing or UI redressing, exfiltration of sensitive page data, and execution of unauthorized actions as the victim, including administrative actions if the victim is a privileged WordPress user.

Mitigation

If you can’t patch tonight, do this now.

Until a fixed version is deployed, reduce exposure by restricting access to affected plugin endpoints, implementing WAF or reverse-proxy rules to block or sanitize malicious 'message' parameter values and common XSS payloads, and warning users and administrators not to follow untrusted links targeting the site. If operationally feasible, temporarily disable the plugin until remediation is completed.

Remediation

Patch, then assume compromise.

Upgrade the Shield Security plugin to a version newer than 21.0.8 that fixes the handling of the 'message' parameter by implementing proper input sanitization and output escaping. If a vendor patch or fixed release is available, apply it promptly across all affected WordPress instances.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

nuclei templates pull requestsNews

Mar 20, 2026

Add CVE-2026-0561.yaml for XSS Vulnerability by Sechunt3r · Pull Request #15649 · projectdiscovery/nuclei-templates · GitHub

A specific vulnerability identified as CVE-2026-0561, described in the content only as an XSS vulnerability in the context of a Nuclei template pull request.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity