CVE-2026-4811
Deferred Deferred - Pending Action
Stored XSS in WPB Floating Menu & Categories WordPress Plugin

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: Wordfence

Description
The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Icon CSS Class' category field in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-09
NVD
CVE-2026-4811
EUVD
EUVD-2026-31208
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpb floating_menu_and_categories_for_wordpress to 1.0.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows attackers with Editor-level access or above to inject malicious scripts that execute in the context of other users visiting the affected pages.

The impact includes potential compromise of user sessions, theft of sensitive information, or unauthorized actions performed on behalf of users without their consent.

The CVSS score of 4.9 indicates a medium severity with high confidentiality impact but no impact on integrity or availability.

Executive Summary

The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin is vulnerable to Stored Cross-Site Scripting (XSS) through the 'Icon CSS Class' category field. This vulnerability exists in all versions up to and including 1.0.8 due to insufficient input sanitization and output escaping.

Authenticated attackers with Editor-level access or higher can inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the injected page, potentially compromising the security of users.

Mitigation Strategies

The vulnerability affects all versions up to and including 1.0.8 of the WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin. Immediate mitigation steps include updating the plugin to a version later than 1.0.8 where the vulnerability is fixed.

Additionally, restrict Editor-level access and above to trusted users only, as the vulnerability requires authenticated users with Editor-level permissions to exploit.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4811. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart