CVE-2026-4005 Overview
The Coachific Shortcode plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the userhash shortcode attribute affecting all versions up to and including 1.0. This vulnerability arises from insufficient input sanitization and output escaping, allowing authenticated attackers with Contributor-level access or above to inject malicious scripts that execute when users access compromised pages.
Critical Impact
Authenticated attackers can inject persistent malicious JavaScript code that executes in the browsers of all users viewing affected pages, potentially leading to session hijacking, credential theft, or further compromise of the WordPress site.
Affected Products
- Coachific Shortcode WordPress Plugin version 1.0 and earlier
- WordPress installations with Coachific Shortcode plugin enabled
- Sites allowing Contributor-level or higher user access
Discovery Timeline
- April 15, 2026 - CVE-2026-4005 published to NVD
- April 15, 2026 - Last updated in NVD database
Technical Details for CVE-2026-4005
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability exists due to a context mismatch in the security controls applied to user input. The plugin uses sanitize_text_field() on the userhash parameter, which strips HTML tags but fails to escape characters that are significant in a JavaScript string context—specifically double quotes, semicolons, and parentheses. The sanitized value is then directly interpolated into a JavaScript string within a <script> tag on line 29 of coachific.php without any JavaScript-specific escaping such as wp_json_encode() or esc_js().
This creates a scenario where an attacker can break out of the JavaScript string context and inject arbitrary code. The vulnerability requires authentication at the Contributor level or above, but once exploited, the malicious scripts persist in the database and execute for all users who view the affected page, including administrators.
Root Cause
The root cause is the use of an inappropriate sanitization function for the output context. While sanitize_text_field() is effective for HTML contexts by stripping tags, it does not protect against JavaScript injection when the output is placed within a JavaScript string literal. WordPress provides context-specific escaping functions like esc_js() for JavaScript strings and wp_json_encode() for JSON contexts, but neither is used in the vulnerable code path.
Attack Vector
The attack is network-based and requires a user with at least Contributor-level privileges on the target WordPress site. The attacker creates or edits a post containing the Coachific shortcode with a crafted userhash attribute value designed to break out of the JavaScript string context. When any user—including administrators—views the page containing the malicious shortcode, the injected JavaScript executes in their browser session.
The vulnerability mechanism involves the following flow:
- An authenticated attacker with Contributor access creates a post using the Coachific shortcode
- The attacker crafts the userhash attribute with JavaScript-breaking characters (e.g., "; malicious_code(); ")
- The plugin's sanitize_text_field() function strips HTML but preserves JavaScript-significant characters
- The sanitized but still malicious value is interpolated directly into a <script> block
- When users visit the page, the malicious JavaScript executes in their browser context
For detailed code analysis, refer to the WordPress Plugin Code Review for line 13 and line 29 in the plugin source.
Detection Methods for CVE-2026-4005
Indicators of Compromise
- Unusual shortcode content in post/page database entries containing JavaScript escape sequences
- Posts created by Contributor-level users containing suspicious userhash attribute values with special characters
- Browser console errors or unexpected script execution on pages using Coachific shortcodes
- User reports of unexpected behavior or redirects when viewing certain pages
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution anomalies
- Monitor WordPress database for posts containing shortcodes with suspicious character patterns in attributes
- Deploy web application firewalls (WAF) with XSS detection rules to identify injection attempts
- Review access logs for authenticated users creating or modifying content with Coachific shortcodes
Monitoring Recommendations
- Enable WordPress activity logging to track post creation and modification by Contributor-level users
- Configure browser-based security monitoring to detect unexpected script execution
- Set up alerts for CSP violation reports indicating potential XSS exploitation attempts
- Regularly audit user-generated content containing shortcodes for malicious patterns
How to Mitigate CVE-2026-4005
Immediate Actions Required
- Update the Coachific Shortcode plugin to the latest patched version if available
- Review and audit all existing posts containing Coachific shortcodes for suspicious content
- Restrict Contributor-level access to trusted users only until patched
- Consider temporarily disabling the plugin if no patch is available
Patch Information
At the time of publication, administrators should check the WordPress Plugin Directory for updated versions that address this vulnerability. The fix requires replacing direct string interpolation with proper JavaScript escaping using functions like esc_js() or wp_json_encode(). Additional details are available in the Wordfence Vulnerability Report.
Workarounds
- Disable the Coachific Shortcode plugin until a patch is available
- Restrict post creation and editing capabilities to Administrator-level users only
- Implement a Web Application Firewall (WAF) with XSS protection rules to filter malicious shortcode attributes
- Manually audit and remove any suspicious shortcode content from existing posts
# Configuration example - Disable plugin via WP-CLI
wp plugin deactivate coachific-shortcode
# List all posts containing the shortcode for manual review
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%[coachific%' AND post_status = 'publish'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
