CVE-2026-6399
Stored XSS in General Options WordPress Plugin
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | general_options_plugin | to 1.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The General Options plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.1.0. This occurs because the plugin uses the sanitize_text_field() function to escape output in the Contact Number field, which removes HTML tags but does not encode double-quote characters. When an attacker includes a double-quote in this field, it breaks out of the HTML attribute context, allowing injection of arbitrary web scripts. Even WordPress's wp_magic_quotes mechanism does not prevent this because the backslash used is rendered literally, not as an escape character. As a result, authenticated users with Administrator-level access can inject malicious scripts that execute whenever an administrator visits the General Options settings page.
How can this vulnerability impact me? :
This vulnerability allows attackers with Administrator-level access to inject and execute arbitrary JavaScript code within the WordPress admin settings page. This can lead to unauthorized actions such as stealing administrator session cookies, performing actions on behalf of administrators, or defacing the admin interface. Since the malicious script executes in the context of the administrator's browser, it can compromise the security and integrity of the WordPress site.