CVE-2026-4120
Stored XSS in WordPress Info Cards Plugin via btnUrl Parameter
Publication date: 2026-03-19
Last updated on: 2026-03-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | info_cards | to 2.0.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Info Cards β Add Text and Media in Card Layouts WordPress plugin is a Stored Cross-Site Scripting (XSS) issue affecting the 'btnUrl' parameter within the Info Cards block in all versions up to and including 2.0.7.
This happens because the plugin does not properly validate URL schemes, allowing javascript: protocol URLs to be injected. The plugin's render.php file passes attributes as JSON to the frontend, which prevents HTML attribute injection but does not filter URL protocols within the JSON data.
On the client side, the view.js script renders the btnUrl value directly as an href attribute on anchor elements without sanitizing the protocol, enabling authenticated users with Contributor-level access or higher to inject malicious javascript: URLs. When a user clicks such a link, arbitrary scripts can execute in their browser.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker with Contributor-level access or above to inject malicious JavaScript code into the website via the btnUrl parameter.
When other users click on the crafted button links, the injected scripts execute in their browsers, potentially leading to session hijacking, data theft, or other malicious actions.
Because the attack is stored, the malicious code persists on the site and can affect multiple users over time.
The vulnerability has a CVSS v3.1 base score of 6.4, indicating a medium severity with network attack vector, low attack complexity, requiring privileges, no user interaction, and impacts on confidentiality and integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'btnUrl' parameter in the Info Cards WordPress plugin. Detection involves identifying if any card URLs contain malicious javascript: protocol URLs that could execute arbitrary scripts.
To detect this on your system, you can inspect the database entries or plugin data for the presence of 'btnUrl' values starting with 'javascript:'. Additionally, monitoring HTTP requests or responses for suspicious URLs in the Info Cards block output could help.
- Search the WordPress database for 'btnUrl' fields containing 'javascript:' URLs, for example using SQL commands:
- SELECT * FROM wp_postmeta WHERE meta_key LIKE '%btnUrl%' AND meta_value LIKE 'javascript:%';
- Use grep or similar tools to scan plugin files or exported data for 'javascript:' in btnUrl attributes.
- Monitor frontend HTML output for anchor tags with href attributes starting with 'javascript:' within the Info Cards block.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation involves sanitizing and validating the 'btnUrl' and 'cardUrl' parameters to prevent javascript: protocol URLs from being used."}, {'type': 'paragraph', 'content': "The plugin's render.php file should be updated to use WordPress's esc_url_raw() function on these URL fields before rendering, which ensures URLs are safe and do not contain malicious protocols."}, {'type': 'paragraph', 'content': 'Additional steps include:'}, {'type': 'list_item', 'content': 'Update the Info Cards plugin to a version that includes the fix (post 2.0.7) where URL sanitization is implemented.'}, {'type': 'list_item', 'content': 'Restrict user roles so that only trusted users with appropriate permissions (above Contributor level) can add or edit Info Cards blocks.'}, {'type': 'list_item', 'content': 'Audit existing cards for malicious javascript: URLs and remove or sanitize them.'}, {'type': 'list_item', 'content': 'Consider implementing additional security measures such as Content Security Policy (CSP) headers to reduce the impact of any injected scripts.'}] [6]