CVE-2026-3600
Stored XSS in Investi WordPress Plugin via Shortcode Attribute
Publication date: 2026-04-08
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| investi | plugin | to 1.0.26 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'maximum-num-years' attribute in the 'investi-announcements-accordion' shortcode of the Investi WordPress plugin. Detection involves identifying if your WordPress site uses the Investi plugin version 1.0.26 or earlier and checking for the presence of this shortcode with potentially malicious input.
To detect exploitation attempts or presence of the vulnerability, you can search your WordPress content database for usage of the shortcode with suspicious or script-injected 'maximum-num-years' attributes.
- Use a database query to find posts containing the shortcode, for example in MySQL: SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[investi-announcements-accordion%maximum-num-years=%';
- Look for suspicious script tags or unusual characters in the 'maximum-num-years' attribute values.
- Monitor web server logs for unusual requests or POST data from authenticated users with Contributor-level access or higher that include the shortcode or script payloads.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Investi plugin to a version later than 1.0.26 where this vulnerability is fixed.
If an update is not immediately available, restrict Contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated access at this level.
As a temporary workaround, avoid using the 'investi-announcements-accordion' shortcode or remove the 'maximum-num-years' attribute from its usage in your content.
Implement Web Application Firewall (WAF) rules to detect and block attempts to inject scripts via shortcode attributes.
Can you explain this vulnerability to me?
The Investi plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its 'investi-announcements-accordion' shortcode, specifically in the 'maximum-num-years' attribute.
This vulnerability exists because the plugin does not properly sanitize or escape user-supplied input for this attribute before inserting it into a double-quoted HTML attribute.
As a result, authenticated users with Contributor-level access or higher can inject malicious scripts that will execute whenever any user views the affected page.
How can this vulnerability impact me? :
This vulnerability allows attackers with Contributor-level access or above to inject arbitrary web scripts into pages.
These scripts execute in the context of users visiting the infected pages, potentially leading to theft of user credentials, session hijacking, defacement, or other malicious actions.
Because the attack requires authenticated access, it may be harder to exploit remotely by anonymous users, but still poses a significant risk within the site.