CVE-2026-4811 Overview
CVE-2026-4811 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin. The flaw exists in all versions up to and including 1.0.8. The plugin fails to properly sanitize input and escape output in the Icon CSS Class category field.
Authenticated attackers with Editor-level access or higher can inject arbitrary JavaScript that executes when users view affected pages. The vulnerability is categorized as [CWE-79] (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Authenticated Editor-level attackers can inject persistent JavaScript payloads that execute in the browser context of any visitor accessing affected pages, enabling session theft and administrative actions.
Affected Products
- WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin
- All versions up to and including 1.0.8
- WordPress installations using the vulnerable plugin
Discovery Timeline
- 2026-05-21 - CVE-2026-4811 published to NVD
- 2026-05-21 - Last updated in NVD database
Technical Details for CVE-2026-4811
Vulnerability Analysis
The vulnerability resides in the plugin's category icon administration interface. The Icon CSS Class field accepts attacker-supplied strings without applying sanitization functions such as sanitize_text_field() on input. The same value is later rendered into page markup without escaping through esc_attr() or esc_html().
This dual failure — missing input sanitization and missing output escaping — allows arbitrary HTML and JavaScript to be persisted in the WordPress database. When administrators or site visitors render pages containing the malicious category icon, the browser parses and executes the injected script.
The vulnerable code path is documented in the WordPress Plugin Source Code at line 41 of admin/category-icon.php.
Root Cause
The root cause is the absence of WordPress's standard sanitization and escaping APIs around the Icon CSS Class parameter. The plugin trusts authenticated user input from the category settings form and writes it directly to storage, then echoes it back into HTML attributes during page rendering.
Attack Vector
An attacker with Editor-level credentials or higher accesses the plugin's category configuration. The attacker submits a payload in the Icon CSS Class field that breaks out of the attribute context, for example by including quote characters followed by event handlers such as onmouseover or onerror. The payload is stored in the database. Each time a user loads a page that renders the floating menu, the injected script executes under the site's origin. Stolen session cookies, forced administrative actions via CSRF, or browser-based redirects to malware are typical post-exploitation outcomes. See the Wordfence Vulnerability Report for additional technical analysis.
Detection Methods for CVE-2026-4811
Indicators of Compromise
- Unexpected <script> tags, javascript: URIs, or HTML event handlers stored within WordPress category metadata for the WPB Floating Menu plugin
- Outbound HTTP requests from visitor browsers to unfamiliar domains shortly after rendering category-driven pages
- New or modified administrator accounts created shortly after Editor-level logins
Detection Strategies
- Query the WordPress database for category term meta rows associated with the plugin and inspect values for HTML tags, quote characters, or on* attribute names
- Review web server access logs for POST requests to plugin administration endpoints under /wp-admin/ originating from Editor accounts
- Monitor for browser Content Security Policy (CSP) violation reports triggered by inline scripts on pages using the floating menu
Monitoring Recommendations
- Audit Editor and Administrator account activity, focusing on plugin configuration changes
- Enable WordPress audit logging plugins to capture term and meta modifications
- Alert on any modification to category-icon.php or related plugin files
How to Mitigate CVE-2026-4811
Immediate Actions Required
- Update the WPB Floating Menu & Categories plugin to a version newer than 1.0.8 once a patched release is available
- Review all existing category icon CSS class values and remove any entries containing HTML or script content
- Restrict Editor-level access to trusted users and enforce strong authentication including multi-factor authentication
Patch Information
At the time of publication, the CVE record lists all versions up to and including 1.0.8 as vulnerable. Site operators should monitor the Wordfence Vulnerability Report and the WordPress plugin repository for an updated release that adds sanitize_text_field() on input and esc_attr() on output for the Icon CSS Class field.
Workarounds
- Deactivate the WPB Floating Menu & Categories plugin until a patched version is released
- Apply a Web Application Firewall (WAF) rule that blocks HTML tags and event handler attributes in POST parameters targeting the plugin's admin endpoints
- Implement a strict Content Security Policy that disallows inline scripts and limits script sources to trusted origins
# Example WordPress CLI command to deactivate the vulnerable plugin
wp plugin deactivate wpb-floating-menu-or-categories
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
