Stored Cross-Site Scripting in Ravelry Designs Widget for WordPress
CVE-2026-1903

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Ravelry Designs Widget
Vendor: CVE Published:; 14 February 2026

What is CVE-2026-1903?

The Ravelry Designs Widget for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping of the 'layout' attribute in the 'sb_ravelry_designs' shortcode. This vulnerability affects all versions up to and including 1.0.0. It enables authenticated attackers, having contributor-level access or above, to inject malicious scripts, which will execute on pages visited by users, compromising the integrity of the site and the safety of its visitors.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Ravelry Designs Widget * <= 1.0.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.svn.wordpress.org/ravelry-designs-widget/...

https://plugins.trac.wordpress.org/browser/ravelry-design...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Feb 14, 2026
Vulnerability Reserved
Feb 4, 2026

Credit

Muhammad Yudha - DJ

JSON

WordPress