Stored Cross-Site Scripting in Ravelry Designs Widget for WordPress
CVE-2026-1903

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Ravelry Designs Widget
Vendor: CVE Published:; 14 February 2026

What is CVE-2026-1903?

The Ravelry Designs Widget for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping of the 'layout' attribute in the 'sb_ravelry_designs' shortcode. This vulnerability affects all versions up to and including 1.0.0. It enables authenticated attackers, having contributor-level access or above, to inject malicious scripts, which will execute on pages visited by users, compromising the integrity of the site and the safety of its visitors.

Affected Version(s)

Ravelry Designs Widget 0 <= 1.0.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.svn.wordpress.org/ravelry-designs-widget/...

https://plugins.trac.wordpress.org/browser/ravelry-design...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 14, 2026
Vulnerability Reserved
Feb 4, 2026

Credit

Muhammad Yudha - DJ

CVE-2026-1903 Data

JSON