CVE-2026-6256 Overview
CVE-2026-6256 is a Stored Cross-Site Scripting (XSS) vulnerability in the Credits Shortcode plugin for WordPress. The flaw affects all plugin versions up to and including 1.2. It exists in the link attribute of the credits shortcode, where user-supplied input is neither properly sanitized nor escaped on output. Authenticated users with contributor-level access or above can inject arbitrary JavaScript into pages. The injected script executes in the browser of any visitor who loads the affected page. The issue is categorized under CWE-79.
Critical Impact
Contributor-level accounts can persistently inject JavaScript that executes against site visitors and administrators, enabling session theft, content manipulation, and privilege escalation paths.
Affected Products
- WordPress Credits Shortcode plugin (slug: source-shortcode) versions ≤ 1.2
- WordPress sites permitting contributor-level or higher accounts to use the credits shortcode
- Any WordPress deployment running the vulnerable credits_shortcode.php handler
Discovery Timeline
- 2026-05-12 - CVE-2026-6256 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-6256
Vulnerability Analysis
The Credits Shortcode plugin registers a credits shortcode handler in credits_shortcode.php. The handler accepts attributes including link, which is reflected into the rendered HTML output of pages and posts. The plugin fails to apply sufficient input sanitization on the supplied attribute value and does not perform output escaping before embedding the value into the response. As a result, an authenticated contributor can place arbitrary HTML or JavaScript payloads inside the link attribute. The payload is stored in post content and rendered every time the page is viewed. Because the script executes in the context of the WordPress site origin, an attacker can read cookies, perform actions on behalf of the viewing user, and pivot toward higher-privileged accounts if an administrator views the page.
Root Cause
The root cause is missing input validation and missing output escaping on shortcode attributes. WordPress shortcode attributes must be sanitized using functions such as sanitize_text_field() and escaped on output using esc_url() or esc_attr() depending on context. The vulnerable handler at line 36 of credits_shortcode.php concatenates the link attribute into HTML without applying either control, allowing tag and attribute breakout.
Attack Vector
Exploitation requires an authenticated session at the contributor role or higher. The attacker creates or edits a post that contains a credits shortcode and supplies a malicious payload inside the link attribute. After the post is published or previewed, any user rendering the page executes the injected script. The scope is changed because script executes in a different security context than the contributor's permissions, affecting visitors and reviewers. Refer to the Wordfence Vulnerability Report and the vulnerable source file for technical details.
// Conceptual injection pattern - no verified PoC released
// Contributor inserts the following into a post body:
// [credits link="<attacker-controlled payload breaking out of the attribute>"]
// The plugin echoes the attribute into HTML without esc_url/esc_attr,
// allowing script execution when the page is rendered.
Detection Methods for CVE-2026-6256
Indicators of Compromise
- Post or page content containing [credits shortcodes with link attribute values that include <, >, ", javascript:, onerror=, or onload= tokens.
- Unexpected outbound requests from visitor browsers to attacker-controlled domains after loading pages that render the credits shortcode.
- New or modified posts authored by contributor-role accounts that contain shortcode attributes with encoded HTML or script fragments.
Detection Strategies
- Query the wp_posts table for post_content matching %[credits%link=% and inspect attribute values for HTML metacharacters or scheme handlers such as javascript:.
- Scan WordPress installations for the source-shortcode plugin at version 1.2 or earlier using a plugin inventory tool or wp plugin list via WP-CLI.
- Review web server access logs for anomalous referrers or POST requests to /wp-admin/post.php originating from contributor accounts shortly before XSS indicators appear.
Monitoring Recommendations
- Enable WordPress audit logging for post creation and edits by non-administrator roles, and alert on shortcode insertion patterns.
- Forward web access and WordPress audit logs to a centralized log platform and correlate contributor edits with subsequent visitor-side script errors or Content Security Policy violations.
- Deploy browser-side CSP reporting to capture script-src violations originating from rendered post pages.
How to Mitigate CVE-2026-6256
Immediate Actions Required
- Disable or uninstall the Credits Shortcode plugin until a patched release is available.
- Audit existing posts for the credits shortcode and remove or sanitize any link attribute values containing HTML or scripting payloads.
- Restrict contributor-level account creation and review the legitimacy of recent contributor registrations.
Patch Information
At the time of publication, no fixed version of the Credits Shortcode plugin is listed in the Wordfence Vulnerability Report. All versions up to and including 1.2 are vulnerable. Monitor the plugin source repository for an updated release that applies esc_url() or esc_attr() to the link attribute.
Workarounds
- Remove the plugin from the WordPress installation and replace its functionality with a custom shortcode that escapes attribute values using esc_url() and esc_attr().
- Lower contributor permissions or require editor review before any contributor post can be previewed or published on production.
- Deploy a web application firewall rule that blocks requests containing [credits shortcodes with HTML metacharacters in attribute values.
# Identify installations of the vulnerable plugin via WP-CLI
wp plugin list --name=source-shortcode --fields=name,status,version
# Disable the plugin network-wide pending remediation
wp plugin deactivate source-shortcode
# Search post content for suspicious shortcode usage
wp db query "SELECT ID, post_author, post_status FROM wp_posts \
WHERE post_content LIKE '%[credits%link=%<%' \
OR post_content LIKE '%[credits%link=%javascript:%';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
