CVE-2026-4006
Received Received - Intake
Stored XSS in Simple Draft List WordPress Plugin via display_name Meta

Publication date: 2026-03-19

Last updated on: 2026-03-19

Assigner: Wordfence

Description
The Simple Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'display_name' post meta (Custom Field) in all versions up to and including 2.6.2. This is due to insufficient input sanitization and output escaping on the author display name when no author URL is present. The plugin accesses `$draft_data->display_name` which, because `display_name` is not a native WP_Post property, triggers WP_Post::__get() and resolves to `get_post_meta($post_id, 'display_name', true)`. When the `user_url` meta field is empty, the `$author` value is assigned to `$author_link` on line 383 without any escaping (unlike line 378 which uses `esc_html()` for the `{{author}}` tag, and line 381 which uses `esc_html()` when a URL is present). This unescaped value is then inserted into the shortcode output via `str_replace()`. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page containing the `[drafts]` shortcode with the `{{author+link}}` template tag.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-19
Generated
2026-05-07
AI Q&A
2026-03-19
EPSS Evaluated
2026-05-05
NVD
CVE-2026-4006
EUVD
EUVD-2026-13069
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-4006 is a Stored Cross-Site Scripting (XSS) vulnerability in the Simple Draft List plugin for WordPress, affecting all versions up to and including 2.6.2.

The vulnerability arises because the plugin does not properly sanitize or escape the 'display_name' post meta field (a custom field) when displaying the author name without an author URL.

Specifically, when the 'user_url' meta field is empty, the plugin assigns the author name directly to the output without escaping it, allowing authenticated users with Contributor-level access or higher to inject malicious scripts.

These injected scripts execute whenever a user views a page containing the '[drafts]' shortcode with the '{{author+link}}' template tag.


How can this vulnerability impact me? :

This vulnerability allows authenticated users with Contributor-level access or above to inject arbitrary malicious scripts into pages that display draft lists using the '[drafts]' shortcode.

As a result, any user who views these pages may have malicious scripts executed in their browser, potentially leading to session hijacking, data theft, or other malicious actions.

Because the vulnerability is a Stored XSS, the malicious code is persistently stored in the site’s database and served to users repeatedly.

This can compromise the security and integrity of your WordPress site and its users.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': "This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'display_name' post meta in the Simple Draft List WordPress plugin versions up to 2.6.2. Detection involves identifying if the vulnerable plugin version is installed and if the shortcode [drafts] with the {{author+link}} template tag is used."}, {'type': 'paragraph', 'content': 'To detect the vulnerability on your system, you can check the installed version of the Simple Draft List plugin. If it is version 2.6.2 or earlier, it is vulnerable.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerable plugin version on a WordPress installation:'}, {'type': 'list_item', 'content': 'Navigate to the WordPress plugins directory, e.g., `cd /path/to/wordpress/wp-content/plugins/simple-draft-list`'}, {'type': 'list_item', 'content': "Check the plugin version by inspecting the main plugin file: `grep 'Version:' simple-draft-list.php`"}, {'type': 'list_item', 'content': "Alternatively, use WP-CLI to list plugin versions: `wp plugin list --path=/path/to/wordpress` and look for 'simple-draft-list' version."}, {'type': 'paragraph', 'content': "To detect exploitation attempts on your network, monitor HTTP requests for the presence of the [drafts] shortcode with the {{author+link}} template tag or suspicious input in the 'display_name' post meta field, especially scripts or HTML tags."}] [1, 2, 4]


What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'The immediate and recommended mitigation step is to update the Simple Draft List plugin to version 2.6.3 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'Version 2.6.3 addresses the Stored Cross-Site Scripting vulnerability by properly escaping the author name output using `esc_html()`, preventing malicious script injection via the author display name when no author URL is present.'}, {'type': 'paragraph', 'content': 'If updating immediately is not possible, consider disabling or removing the Simple Draft List plugin temporarily to prevent exploitation.'}, {'type': 'paragraph', 'content': "Additionally, review and sanitize any existing 'display_name' post meta fields to remove potentially malicious scripts."}, {'type': 'paragraph', 'content': 'Ensure that user roles and permissions are properly configured to restrict Contributor-level users from injecting malicious content.'}] [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart