CVE-2026-1099 Overview
CVE-2026-1099 is a Stored Cross-Site Scripting (XSS) vulnerability in the Administrative Shortcodes plugin for WordPress. The flaw affects all versions up to and including 0.3.4. It stems from insufficient input sanitization and output escaping on the login and logout shortcode attributes [CWE-79].
Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. The injected payload executes in the browser of any user who views the affected page. This enables session theft, forced administrative actions, and redirection to attacker-controlled infrastructure.
Critical Impact
Authenticated Contributor accounts can store JavaScript that executes against site visitors and administrators, enabling account takeover and content tampering.
Affected Products
- Administrative Shortcodes plugin for WordPress, all versions through 0.3.4
- WordPress sites that allow Contributor-level (or higher) account registration
- Multi-author WordPress deployments using the affected plugin
Discovery Timeline
- 2026-01-24 - CVE-2026-1099 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-1099
Vulnerability Analysis
The Administrative Shortcodes plugin registers shortcodes that conditionally render content based on a user's login state. The login and logout shortcode attributes accept user-controlled strings that the plugin embeds into rendered page output without proper sanitization or escaping.
Because the plugin trusts shortcode attribute values, a Contributor can author a draft post or page containing a shortcode whose attributes carry HTML or JavaScript. When the content is rendered, the attacker-supplied markup is emitted directly into the response body. Any visitor — including authenticated administrators reviewing pending Contributor submissions — executes the script in their browser session.
The attack persists across page loads, distinguishing this from reflected XSS. Stored payloads remain active until the offending content is edited or removed.
Root Cause
The root cause is missing input sanitization on shortcode attribute values and missing output escaping when those values are written into HTML. The plugin should apply sanitize_text_field() or equivalent on input and esc_attr() or esc_html() on output. Neither control is enforced for the login and logout attributes in the vulnerable handler referenced at line 196 of administrative-shortcodes.php.
Attack Vector
Exploitation requires an authenticated WordPress account with at least Contributor privileges. The attacker creates or edits a post containing the vulnerable shortcode with a crafted attribute payload. The payload triggers when an editor, administrator, or site visitor renders the page.
The scope-changed CVSS vector indicates the injected script executes in the browser context of users beyond the attacker's own privilege boundary. This makes administrator-targeted payloads — such as nonce-stealing requests against /wp-admin/ endpoints — practical follow-on attacks.
See the Wordfence Vulnerability Report and the WordPress Plugin Code Reference for the vulnerable code path.
Detection Methods for CVE-2026-1099
Indicators of Compromise
- Posts or pages containing [admin_*]-style shortcodes with login or logout attributes that include <script>, onerror=, onload=, or javascript: substrings
- Unexpected outbound requests from administrator browser sessions to external domains after viewing Contributor-authored content
- New administrative users, plugin installations, or theme changes created shortly after an administrator reviewed a draft post
- WordPress database entries in wp_posts.post_content containing encoded JavaScript within shortcode attributes
Detection Strategies
- Query the WordPress database for shortcode patterns referencing the administrative-shortcodes plugin and inspect attribute values for HTML or script content
- Deploy a Web Application Firewall (WAF) rule that flags shortcode attribute values containing angle brackets, event handlers, or javascript: schemes
- Audit Contributor and Author role accounts and review their recent post revisions for suspicious shortcode usage
Monitoring Recommendations
- Log all post creation and revision events with the author's role and IP address for retrospective hunting
- Monitor /wp-admin/ browser sessions for anomalous XHR or fetch calls to third-party domains
- Alert on plugin or user role changes initiated from administrator sessions immediately following content preview actions
How to Mitigate CVE-2026-1099
Immediate Actions Required
- Update the Administrative Shortcodes plugin to a version newer than 0.3.4 once the vendor releases a patched build
- If no patched version is available, deactivate and remove the plugin from affected WordPress installations
- Review existing posts and pages for malicious shortcode attributes and purge any injected payloads
- Rotate administrator passwords and invalidate active sessions if exploitation is suspected
Patch Information
At the time of publication, the NVD entry for CVE-2026-1099 references the vulnerable code at line 196 of administrative-shortcodes.php in tag 0.3.4 and the development trunk. Administrators should monitor the WordPress Plugin Development Code repository for an updated release that adds esc_attr() and sanitize_text_field() calls on the login and logout attributes.
Workarounds
- Restrict Contributor and Author account creation to trusted users only, and require manual approval for new registrations
- Enforce editorial review workflows that render pending posts in an isolated browser profile without administrative cookies
- Apply a WAF rule that blocks POST requests to /wp-admin/post.php containing shortcode attributes with HTML control characters
- Disable the plugin on production sites until a vendor patch is published
# Disable the vulnerable plugin via WP-CLI
wp plugin deactivate administrative-shortcodes
wp plugin delete administrative-shortcodes
# Search the database for potentially malicious shortcode usage
wp db query "SELECT ID, post_title, post_author FROM wp_posts \
WHERE post_content REGEXP 'login=\"[^\"]*<' \
OR post_content REGEXP 'logout=\"[^\"]*<';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
