CVE-2026-1099 in Administrative Shortcodes Plugin
Summary
by MITRE • 01/24/2026
The Administrative Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'login' and 'logout' shortcode attributes in all versions up to, and including, 0.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/25/2026
The CVE-2026-1099 vulnerability affects the Administrative Shortcodes plugin for WordPress, representing a critical stored cross-site scripting weakness that compromises user security within WordPress environments. This vulnerability exists in all plugin versions up to and including 0.3.4, making it a persistent threat across multiple releases. The flaw specifically targets the 'login' and 'logout' shortcode attributes, which are commonly used in WordPress administrative contexts to manage user authentication flows. The vulnerability stems from inadequate input sanitization and insufficient output escaping mechanisms that fail to properly validate or encode user-supplied data before processing.
The technical exploitation of this vulnerability requires an authenticated attacker with Contributor-level access or higher, which represents a significant concern as it lowers the barrier to exploitation compared to vulnerabilities requiring administrator privileges. Attackers can leverage this weakness by injecting malicious scripts through the vulnerable shortcode parameters when creating or editing posts, pages, or other content where these shortcodes are utilized. The stored nature of this XSS vulnerability means that the malicious code persists in the database and executes whenever any user accesses the affected content, making it particularly dangerous for widespread impact. This vulnerability directly maps to CWE-79, which classifies cross-site scripting flaws in web applications, and aligns with ATT&CK technique T1566.001 for initial access through spearphishing attachments or links.
The operational impact of CVE-2026-1099 extends beyond simple script execution, as it can enable attackers to perform various malicious activities including session hijacking, credential theft, redirection to malicious sites, and data exfiltration. Since contributors can create and modify content, attackers can inject scripts into posts, pages, or custom post types that will execute for any user who views the affected content, including administrators. This creates a persistent threat vector that can compromise entire WordPress installations if attackers gain sufficient privileges. The vulnerability affects WordPress environments where the Administrative Shortcodes plugin is installed and active, potentially impacting thousands of websites that have not yet updated to patched versions. The attack surface is particularly concerning in multi-user environments where contributor accounts may be more readily accessible or compromised.
Mitigation strategies for CVE-2026-1099 should focus on immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. Organizations should also implement strict access controls to limit contributor-level privileges and monitor content creation activities for suspicious scripts. Additionally, implementing Content Security Policy headers can provide defense-in-depth against XSS attacks by restricting script execution from untrusted sources. Regular security audits of WordPress plugins and themes should be conducted to identify similar vulnerabilities, while maintaining updated security tooling including web application firewalls and intrusion detection systems. The vulnerability highlights the importance of proper input validation and output escaping practices in web application development, particularly for plugins that handle user-supplied content in administrative contexts. Organizations should also consider implementing automated patch management processes to ensure timely updates of vulnerable components and reduce exposure windows.