CVE-2026-4005
Stored XSS in Coachific Shortcode Plugin via userhash Attribute
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coachific | shortcode | to 1.0 (inc) |
| coachific | shortcode_plugin | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'userhash' shortcode attribute in the Coachific Shortcode WordPress plugin. Detection typically involves identifying if the vulnerable plugin version is installed and if the 'userhash' shortcode is used in posts or pages.
To detect exploitation attempts or presence of the vulnerability on your system, you can search for usage of the 'userhash' shortcode in your WordPress content and check for suspicious script injections.
- Use WP-CLI to search for the shortcode usage: wp post list --post_type=page,post --format=ids | xargs -d' ' -I % wp post get % --field=post_content | grep '\[userhash'
- Search your database directly for the shortcode usage: SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[userhash%';
- Check for suspicious script tags or injected JavaScript in posts or pages that use the shortcode.
Network detection of exploitation attempts may involve monitoring HTTP requests for unusual parameters or payloads targeting the 'userhash' attribute, but specific commands for network detection are not provided in the available information.
Can you explain this vulnerability to me?
The vulnerability exists in the Coachific Shortcode plugin for WordPress, specifically in the 'userhash' shortcode attribute. It is a Stored Cross-Site Scripting (XSS) issue caused by insufficient input sanitization and output escaping.
Although the plugin uses sanitize_text_field() to strip HTML tags from the 'userhash' parameter, it does not escape characters that are significant in JavaScript strings, such as double quotes, semicolons, and parentheses.
The sanitized value is then directly inserted into a JavaScript string inside a <script> tag without proper JavaScript-specific escaping methods like wp_json_encode() or esc_js(). This allows attackers with Contributor-level access or higher to inject arbitrary scripts that execute when users visit the affected pages.
How can this vulnerability impact me? :
This vulnerability can allow authenticated attackers with Contributor-level access or above to inject malicious JavaScript code into pages on the affected WordPress site.
When other users access these pages, the injected scripts will execute in their browsers, potentially leading to theft of sensitive information, session hijacking, or other malicious actions.
Because the attack is stored, the malicious code persists on the site and affects all users who view the compromised content.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update or remove the Coachific Shortcode plugin for WordPress if it is at version 1.0 or below, as these versions are vulnerable to Stored Cross-Site Scripting via the 'userhash' shortcode attribute.
Additionally, restrict Contributor-level and higher user access until the vulnerability is addressed, since authenticated users with these privileges can exploit this issue.
Ensure that any input sanitization and output escaping for the 'userhash' parameter uses proper JavaScript-specific escaping functions such as wp_json_encode() or esc_js() to prevent script injection.