{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4088", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-12T21:01:55.593Z", "datePublished": "2026-04-22T07:45:31.826Z", "dateUpdated": "2026-04-22T07:45:31.826Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:31.826Z"}, "affected": [{"vendor": "wpshouter", "product": "Switch CTA Box", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Switch CTA Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppw_cta_box' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user-supplied post meta values including 'cta_box_button_link', 'cta_box_button_id', 'cta_box_button_text', and 'cta_box_description'. The shortcode reads post meta from a user-specified post ID and echoes these values directly into HTML output without any escaping functions (no esc_attr(), esc_url(), or esc_html()). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Switch CTA Box <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19a3fc90-b81c-4451-80e0-cead99a2dcd9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/box_display_template.php#L18"}, {"url": "https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/box_display_template.php#L18"}, {"url": "https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/box_display_template.php#L14"}, {"url": "https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/box_display_template.php#L14"}, {"url": "https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/box_display_template.php#L2"}, {"url": "https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/box_display_template.php#L2"}, {"url": "https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/shortcode_setup.php#L8"}, {"url": "https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/shortcode_setup.php#L8"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-04-21T19:06:56.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Switch CTA Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppw_cta_box' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user-supplied post meta values including 'cta_box_button_link', 'cta_box_button_id', 'cta_box_button_text', and 'cta_box_description'. The shortcode reads post meta from a user-specified post ID and echoes these values directly into HTML output without any escaping functions (no esc_attr(), esc_url(), or esc_html()). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4088", "lastModified": "2026-04-22T09:16:22.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:22.560", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/box_display_template.php#L14"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/box_display_template.php#L18"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/box_display_template.php#L2"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/shortcode_setup.php#L8"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/box_display_template.php#L14"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/box_display_template.php#L18"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/box_display_template.php#L2"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/shortcode_setup.php#L8"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19a3fc90-b81c-4451-80e0-cead99a2dcd9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T09:28:39.961583+00:00", "value": {"mitigation_remediation": ["Upgrade Switch\u202fCTA\u202fBox to the latest stable release that includes the stored\u2011XSS fix (e.g., version\u202f1.2 or later).", "If an upgrade cannot be performed immediately, remove or disable the 'wppw_cta_box' shortcode from all themes and pages until the plugin is patched.", "As a temporary workaround for sites that must keep the shortcode, edit the shortcode handler to wrap all user\u2011supplied values with WordPress escaping functions such as esc_attr(), esc_url(), and esc_html().", "Restrict contributor\u2011level user permissions to only those who are fully trusted, reducing the number of accounts that can introduce malicious payloads."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting via plugin shortcode"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Switch CTA Box plugin version 1.1 or earlier. The vulnerability appears in the plugin\u2019s active shortcode implementation, which displays content on post pages identified by a supplied post ID.", "description_and_impact": "The Switch CTA Box plugin contains a stored cross\u2011site scripting vulnerability in all releases up to and including 1.1. Insufficient sanitization of user\u2011supplied post meta such as link, button ID, text, and description allows an attacker to inject arbitrary JavaScript that will run for any visitor to a page containing the shortcode. The flaw is scoped to authenticated users with contributor or higher privileges, meaning sites with many contributors are at risk.", "risk_and_exploitability": "The CVSS score of 6.4 categorises this as a medium\u2011severity flaw. The EPSS score is not available, but the lack of listing in CISA\u2019s KEV catalog suggests no widespread public exploitation is yet documented. Exploitation requires credentials with contributor access and involves injecting script payloads into the plugin\u2019s shortcode output. Once injected, the payload executes in the context of any site visitor, potentially allowing defacement, cookie theft, or other client\u2011side attacks."}}}}, "created": "2026-04-22T09:30:13.558294+00:00", "updated": "2026-04-22T09:30:13.558310+00:00", "vendors": []}