CVE-2026-56006

Interactive Content – H5P <= 1.17.6 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
1.17.7
Patched in
6d
Time to patch

Description

The Interactive Content – H5P plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.17.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.17.6
PublishedJune 18, 2026
Last updatedJune 23, 2026
Affected pluginh5p

What Changed in the Fix

Changes introduced in v1.17.7

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This exploitation research plan targets **CVE-2026-56006**, a reflected Cross-Site Scripting (XSS) vulnerability in the Interactive Content – H5P plugin for WordPress. ### 1. Vulnerability Summary The vulnerability exists in the library management interface of the H5P plugin. Specifically, the `des…

Show full research plan

This exploitation research plan targets CVE-2026-56006, a reflected Cross-Site Scripting (XSS) vulnerability in the Interactive Content – H5P plugin for WordPress.

1. Vulnerability Summary

The vulnerability exists in the library management interface of the H5P plugin. Specifically, the destination and id query parameters are used in the admin views (admin/views/library-delete.php and admin/views/library-content-upgrade.php) without sufficient output escaping. While the controller (admin/class-h5p-library-admin.php) performs some sanitization on the id for database queries, the view files directly access $_GET or $_REQUEST parameters to render "Cancel" links or form actions, allowing an attacker to inject arbitrary JavaScript.

2. Attack Vector Analysis

  • Vulnerable Endpoint: /wp-admin/admin.php
  • Action/Page: h5p_libraries
  • Vulnerable Parameters: destination (Primary), id (Secondary in views)
  • Authentication Required: Unauthenticated attacker (targeting an authenticated Administrator). The CVSS vector PR:N/UI:R indicates that an attacker can trigger this by tricking a logged-in admin into clicking a malicious link.
  • Preconditions: At least one H5P library must be installed/uploaded so that the id parameter points to a valid database record, allowing the get_library() check to pass and the vulnerable view to be included.

3. Code Flow

  1. An administrator clicks a link: /wp-admin/admin.php?page=h5p_libraries&task=delete&id=1&destination=javascript:alert(1)
Research Findings
Static analysis — not yet PoC-verified

Summary

The Interactive Content – H5P plugin for WordPress is vulnerable to reflected Cross-Site Scripting (XSS) due to improper sanitization and escaping of the 'destination' query parameter in its administrative library management pages. An attacker can exploit this by tricking an authenticated administrator into clicking a crafted link, leading to the execution of arbitrary JavaScript in the context of the user's browser session.

Vulnerable Code

/* File: admin/class-h5p-library-admin.php (Line ~448 in 1.17.6) */
'done' => sprintf(__('You have successfully upgraded %s.', $this->plugin_slug), $contents_plural) . ($return ? '<br/><a href="' . $return . '">' . __('Return', $this->plugin_slug) . '</a>' : ''),

---

/* The vulnerability also affects library-delete.php and library-content-upgrade.php views where $_GET['destination'] is rendered directly into 'href' attributes or form 'action' attributes without escaping. */

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/h5p/1.17.6/admin/class-h5p-library-admin.php /home/deploy/wp-safety.org/data/plugin-versions/h5p/1.17.7/admin/class-h5p-library-admin.php
--- /home/deploy/wp-safety.org/data/plugin-versions/h5p/1.17.6/admin/class-h5p-library-admin.php	2026-03-03 13:17:44.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/h5p/1.17.7/admin/class-h5p-library-admin.php	2026-05-07 10:45:56.000000000 +0000
@@ -445,7 +445,7 @@
         'errorLibrary' => __('Missing required library %lib.', $this->plugin_slug),
         'errorTooHighVersion' => __('Parameters contain %used while only %supported or earlier are supported.', $this->plugin_slug),
         'errorNotSupported' => __('Parameters contain %used which is not supported.', $this->plugin_slug),
-        'done' => sprintf(__('You have successfully upgraded %s.', $this->plugin_slug), $contents_plural) . ($return ? '<br/><a href="' . $return . '">' . __('Return', $this->plugin_slug) . '</a>' : ''),
+        'done' => sprintf(__('You have successfully upgraded %s.', $this->plugin_slug), $contents_plural) . ($return && wp_http_validate_url($return) ? '<br/><a href="' . sanitize_url($return) . '">' . __('Return', $this->plugin_slug) . '</a>' : ''),
         'library' => array(
           'name' => $library->name,
           'version' => $library->major_version . '.' . $library->minor_version,

Exploit Outline

The exploit targets an authenticated Administrator interacting with the H5P library management interface. 1. The attacker identifies a valid H5P library ID. 2. The attacker crafts a URL targeting `/wp-admin/admin.php?page=h5p_libraries&task=upgrade&id=[ID]&destination=javascript:alert(1)`. 3. When the admin visits this URL and either completes an upgrade or clicks a 'Cancel/Return' link, the malicious `destination` payload is rendered directly into an `<a>` tag's `href` attribute without sanitization. 4. If the administrator clicks the resulting link, the JavaScript payload executes in their session, potentially allowing for site takeover or data theft.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.