CVE-2026-6397
Stored XSS in Sticky WordPress Plugin via readmoretext Shortcode
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_sticky | sticky | to 2.5.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Sticky plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its `cvmh-sticky` shortcode, specifically in the `readmoretext` attribute. This happens because the plugin does not properly sanitize or escape the input for this attribute before including it in the HTML output. As a result, authenticated users with Contributor-level access or higher can inject malicious scripts that will run whenever someone views a page containing the infected shortcode.
How can this vulnerability impact me? :
This vulnerability allows attackers with Contributor-level access or above to inject arbitrary scripts into WordPress pages. These scripts can execute in the browsers of users who visit the affected pages, potentially leading to theft of user credentials, session hijacking, defacement, or other malicious actions. Because the vulnerability is stored, the malicious code persists and affects all users who access the infected content.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Sticky plugin for WordPress to a version later than 2.5.6 where the issue is fixed.
Additionally, restrict Contributor-level access and above to trusted users only, as the vulnerability requires authenticated users with at least Contributor privileges to exploit.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Sticky plugin for WordPress, specifically the `cvmh-sticky` shortcode's `readmoretext` attribute being vulnerable to Stored Cross-Site Scripting (XSS). Detection involves identifying instances where this shortcode is used with potentially malicious or unescaped input.
To detect this vulnerability on your system, you can search your WordPress database or content files for the presence of the `cvmh-sticky` shortcode with suspicious or script-containing `readmoretext` attributes.
- Use a database query to find posts containing the shortcode, for example in MySQL: `SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[cvmh-sticky readmoretext=%';`
- Search for suspicious script tags or JavaScript code within the `readmoretext` attribute using command line tools like grep: `grep -r '\[cvmh-sticky.*readmoretext=.*<script' /path/to/wordpress/wp-content/`
- Check plugin version to confirm if it is vulnerable (versions up to and including 2.5.6). You can do this by running: `wp plugin get sticky --field=version` if WP-CLI is installed.
Since the vulnerability requires Contributor-level access to inject scripts, monitoring user activity logs for suspicious shortcode edits or additions may also help detect exploitation attempts.