CVE-2026-4120 Overview
The Info Cards – Add Text and Media in Card Layouts plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the btnUrl parameter within the Info Cards block. This vulnerability exists in all versions up to and including 2.0.7 due to insufficient input validation on URL schemes, specifically the lack of javascript: protocol filtering.
The vulnerability allows authenticated attackers with Contributor-level access or above to inject malicious javascript: URLs that execute arbitrary web scripts when users click the rendered button links. This represents a significant security risk for WordPress sites that allow contributor or author access, as it could lead to session hijacking, credential theft, or defacement.
Critical Impact
Authenticated attackers can inject persistent JavaScript payloads via the btnUrl parameter, enabling session hijacking, credential theft, and malicious redirects when site visitors interact with Info Card button links.
Affected Products
- Info Cards – Add Text and Media in Card Layouts plugin for WordPress versions up to and including 2.0.7
- WordPress sites using the Info Cards block with Contributor or higher user roles
- Any site permitting authenticated users to create or edit Info Card blocks
Discovery Timeline
- 2026-03-19 - CVE CVE-2026-4120 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-4120
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability stems from a multi-stage processing flaw in how the Info Cards plugin handles URL input for button links. The block's render.php passes all block attributes as JSON to the frontend via a data-attributes HTML attribute using esc_attr(wp_json_encode()). While this approach effectively prevents HTML attribute injection, it does not validate URL protocols within the JSON data.
The client-side view.js then renders the btnUrl value directly as an href attribute on anchor elements without any protocol sanitization. This architectural gap allows attackers to bypass the server-side encoding protections by injecting javascript: protocol URLs that execute when clicked.
The attack requires authentication with at minimum Contributor-level privileges, limiting the attack surface to WordPress installations that grant content creation permissions to multiple users or untrusted contributors.
Root Cause
The root cause is insufficient input validation on URL schemes within the btnUrl parameter. The plugin correctly applies esc_attr() and wp_json_encode() for safe HTML attribute encoding on the server side but fails to implement URL protocol allowlisting or blacklisting. This means dangerous protocols like javascript:, data:, and vbscript: can be stored and later rendered as clickable links.
The validation gap exists between the server-side output encoding in render.php and the client-side rendering in view.js, where the URL is trusted without sanitization and applied directly to an anchor element's href attribute.
Attack Vector
The attack vector is network-based and requires authentication with Contributor-level privileges or above. An attacker exploits the vulnerability through the following sequence:
- The attacker authenticates to WordPress with Contributor or higher role privileges
- The attacker creates or edits a post containing an Info Cards block
- In the block settings, the attacker sets the btnUrl parameter to a javascript: URL containing malicious script code
- The block is saved and published (or submitted for review)
- When a site visitor or administrator clicks the malicious button link, the injected JavaScript executes in their browser context
The malicious script can then perform actions such as stealing session cookies, redirecting users to phishing pages, performing actions on behalf of the victim, or injecting additional malicious content into the page.
Detection Methods for CVE-2026-4120
Indicators of Compromise
- Presence of javascript: protocol URLs in Info Cards block content within the WordPress database
- Unusual or obfuscated JavaScript code patterns in btnUrl attributes of saved block data
- Reports from users of unexpected behavior when clicking Info Card buttons
- Evidence of session hijacking or unauthorized administrative actions following user interaction with Info Card elements
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block javascript: URLs in POST requests to the WordPress block editor
- Enable WordPress audit logging to monitor block content changes by Contributor-level users
- Deploy client-side XSS detection solutions that monitor for script execution from anchor click events
- Regularly scan the WordPress database for stored XSS payloads in block content using security scanning tools
Monitoring Recommendations
- Monitor WordPress audit logs for suspicious block editing activity, particularly from Contributor accounts
- Configure alerting for any javascript: or data: protocol strings appearing in saved post content
- Implement Content Security Policy (CSP) headers to restrict inline script execution and mitigate XSS impact
- Review the Wordfence Vulnerability Analysis for updated threat intelligence
How to Mitigate CVE-2026-4120
Immediate Actions Required
- Update the Info Cards plugin to a patched version beyond 2.0.7 when available from the WordPress plugin repository
- Review and audit all existing Info Card blocks for malicious btnUrl values containing javascript: or other dangerous protocols
- Restrict Contributor-level access to trusted users only until the patch is applied
- Consider temporarily disabling the Info Cards plugin if untrusted contributors have access to the site
Patch Information
A patched version addressing this vulnerability should be available in the WordPress plugin repository. Administrators should update to the latest version that includes URL protocol validation. The fix should implement allowlisting of safe URL protocols (such as http:, https:, mailto:, and tel:) and reject or sanitize javascript:, data:, and vbscript: protocols.
Technical references for the vulnerable code can be found in the WordPress Info Cards Render PHP and WordPress Info Cards View JS files. The trunk revision at render.php revision 3482902 may contain the patched code.
Workarounds
- Implement a Content Security Policy (CSP) with strict script-src directives to limit the impact of any XSS attacks
- Use a Web Application Firewall (WAF) rule to block requests containing javascript: URLs in block attribute data
- Temporarily demote Contributor accounts to Subscriber level to prevent block editing until patched
- Manually review and sanitize existing Info Card block content in the database to remove any javascript: URLs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
