CVE-2026-4125 Overview
The WPMK Block plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the class shortcode attribute affecting all versions up to and including 1.0.1. This vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode attributes. In the wpmk_block_shortcode() function, the class attribute is extracted from user-controllable shortcode attributes and directly concatenated into an HTML div element's class attribute without proper escaping using functions like esc_attr(). This allows authenticated attackers with Contributor-level access or above to inject arbitrary web scripts that execute when users access compromised pages.
Critical Impact
Authenticated attackers with Contributor-level access can inject persistent malicious scripts that execute in the browsers of all users who view the affected pages, potentially leading to session hijacking, credential theft, or malware distribution.
Affected Products
- WPMK Block WordPress Plugin version 1.0.1 and earlier
- WordPress sites using vulnerable versions of the WPMK Block plugin
Discovery Timeline
- 2026-04-22 - CVE-2026-4125 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-4125
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability exists because the WPMK Block plugin fails to properly sanitize and escape user-supplied input in shortcode attributes before rendering them in HTML output. When a WordPress shortcode is processed, the wpmk_block_shortcode() function extracts the class attribute value and directly embeds it into an HTML div element without applying WordPress's built-in escaping functions.
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security flaw that allows attackers to inject client-side scripts. Since the malicious payload is stored in the WordPress database (in page or post content), the script persists and executes for every user who views the affected page, making this a Stored XSS rather than a Reflected XSS vulnerability.
The attack requires Contributor-level authentication, which limits the attack surface to authenticated users. However, on sites with open registration or multiple contributors, this represents a significant risk as compromised accounts or malicious insiders can exploit this vulnerability.
Root Cause
The root cause is the absence of output escaping in the wpmk_block_shortcode() function located in classes/wpmk-block-class.php. The class attribute from shortcode parameters is directly concatenated into HTML output without using WordPress sanitization functions such as esc_attr(), wp_kses(), or sanitize_html_class(). This allows attackers to break out of the class attribute context and inject arbitrary HTML and JavaScript code.
Attack Vector
The attack is network-based and requires low complexity to exploit. An authenticated attacker with at least Contributor-level privileges can create or edit a WordPress post or page containing a WPMK Block shortcode with a malicious class attribute value. The payload could include event handlers like onmouseover or onfocus combined with JavaScript code, or could break out of the attribute entirely to inject script tags.
The malicious content is stored in the WordPress database and rendered to all users who view the affected page, including administrators. This enables attackers to steal session cookies, perform actions on behalf of other users, redirect users to malicious sites, or modify page content.
Detection Methods for CVE-2026-4125
Indicators of Compromise
- Unexpected JavaScript code or event handlers in post/page content containing WPMK Block shortcodes
- Suspicious class attribute values in [wpmk_block] shortcodes containing characters like ", ', >, <, or JavaScript keywords
- Browser console errors or unexpected script execution when viewing pages with WPMK Block elements
- User reports of unexpected behavior, redirects, or pop-ups when viewing specific pages
Detection Strategies
- Review WordPress posts and pages for WPMK Block shortcodes with unusual or suspicious class attribute values
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Deploy web application firewalls (WAF) with XSS detection rules to identify and block malicious payloads
- Monitor server logs for unusual POST requests to WordPress content editing endpoints
Monitoring Recommendations
- Enable WordPress audit logging to track post and page modifications by contributors
- Implement real-time security monitoring for JavaScript injection patterns in database content
- Configure browser-based XSS detection tools during security assessments
- Regularly scan WordPress database for stored XSS payloads using security plugins
How to Mitigate CVE-2026-4125
Immediate Actions Required
- Update the WPMK Block plugin to a patched version when available from the WordPress plugin repository
- Review and audit all existing posts and pages using WPMK Block shortcodes for malicious content
- Temporarily disable or remove the WPMK Block plugin if no patch is available and the plugin is non-essential
- Restrict Contributor-level access to trusted users only until the vulnerability is patched
- Consider implementing a web application firewall (WAF) with XSS protection rules
Patch Information
At the time of publication, check the WordPress Plugin Repository for updated versions of the WPMK Block plugin that address this vulnerability. The Wordfence Vulnerability Analysis provides additional details and patch status information.
Workarounds
- Disable the WPMK Block plugin entirely until a patched version is released
- Remove Contributor-level access from untrusted users to prevent exploitation
- Implement server-side input validation by modifying the plugin code to use esc_attr() on the class attribute (requires development expertise)
- Deploy a WAF rule to filter shortcode attributes containing potentially malicious characters or JavaScript keywords
- Use WordPress security plugins that provide virtual patching capabilities for known vulnerabilities
# Configuration example - Disable the plugin via WP-CLI
wp plugin deactivate wpmk-block
# Alternatively, rename the plugin folder to disable it
mv wp-content/plugins/wpmk-block wp-content/plugins/wpmk-block.disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
