CVE-2026-1099
Stored XSS in WordPress Administrative Shortcodes Plugin Allows Script Injection
Publication date: 2026-01-24
Last updated on: 2026-01-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hassan_derakhshandeh | administrative_shortcodes | to 0.3.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Administrative Shortcodes WordPress plugin (up to version 0.3.4) is a Stored Cross-Site Scripting (XSS) issue. It occurs because the plugin does not properly sanitize or escape input in the 'login' and 'logout' shortcode attributes. This allows authenticated users with Contributor-level access or higher to inject malicious scripts into pages. These scripts then execute whenever any user views the affected page, potentially compromising user data or site integrity. [2]
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access or above to inject arbitrary web scripts into pages. When other users visit these pages, the malicious scripts execute in their browsers, which can lead to theft of user credentials, session hijacking, defacement, or other malicious actions. It compromises the security and trustworthiness of the website and can affect all users who access the injected content. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying the presence of the Administrative Shortcodes plugin version 0.3.4 or earlier on your WordPress installation and checking for usage of the 'login' and 'logout' shortcode attributes that may contain injected scripts. You can scan your WordPress plugin directory for the plugin version. Additionally, inspecting pages or posts that use these shortcodes for suspicious script tags or unexpected JavaScript execution can help detect exploitation. Commands to detect the plugin version include: 1) Using WP-CLI: `wp plugin list --format=json` to check installed plugin versions. 2) Searching for shortcode usage in the WordPress database: `wp db query "SELECT post_content FROM wp_posts WHERE post_content LIKE '%[login%' OR post_content LIKE '%[logout%'"`. 3) Using grep on the web root to find shortcode usage: `grep -r '\[login' /path/to/wordpress/wp-content/uploads/` or similar. Monitoring HTTP requests for unusual script payloads or unexpected POST requests from Contributor-level users may also help detect exploitation. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating the Administrative Shortcodes plugin to a version that fixes the vulnerability, if available. Since the plugin has not been updated in over five years, consider disabling or removing it entirely if no patch exists. 2) Restricting Contributor-level and above users from adding or editing content that uses the vulnerable 'login' and 'logout' shortcode attributes until the issue is resolved. 3) Implementing Web Application Firewall (WAF) rules to block or sanitize malicious script injections targeting these shortcodes. 4) Reviewing and sanitizing existing content for injected scripts. 5) Monitoring user activity for suspicious behavior related to shortcode usage. These steps reduce the risk of stored cross-site scripting exploitation. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how the vulnerability in the Administrative Shortcodes plugin affects compliance with common standards and regulations such as GDPR or HIPAA.