CVE-2026-3333 in MinhNhut Link Gateway Plugin
Summary
by MITRE • 03/21/2026
The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linkgate' shortcode in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/21/2026
The CVE-2026-3333 vulnerability affects the MinhNhut Link Gateway plugin for WordPress, representing a critical stored cross-site scripting flaw that has been present in all versions up to and including 3.6.1. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's 'linkgate' shortcode implementation, creating a persistent security weakness that can be exploited by authenticated attackers. The flaw specifically targets user-supplied attributes within the shortcode functionality, allowing malicious actors to inject malicious scripts that will execute whenever any user accesses pages containing the compromised content.
The technical nature of this vulnerability places it squarely within the scope of CWE-79, which defines Cross-Site Scripting as a common web application security weakness. This particular implementation flaw demonstrates a failure in proper input validation and output encoding practices, where user-provided data is not adequately sanitized before being processed and rendered within the web application. The vulnerability affects the plugin's shortcode functionality, which is designed to handle user-generated content through the 'linkgate' attribute, but fails to implement appropriate security controls to prevent malicious script injection.
The operational impact of this vulnerability is significant for WordPress installations utilizing the affected plugin, as it grants authenticated attackers with Contributor-level access and above the ability to execute arbitrary web scripts within the context of affected users' browsers. This means that any user with contributor privileges or higher can potentially compromise the security of other users by injecting malicious code through the plugin's shortcode interface. The stored nature of the vulnerability ensures that the injected scripts persist in the database and will execute every time affected pages are accessed, making it particularly dangerous for websites with multiple users or high traffic volumes.
The attack vector for this vulnerability requires an authenticated user with Contributor-level permissions or higher, which represents a moderate privilege escalation risk in many WordPress environments. However, the potential for widespread impact exists because once an attacker gains access through this privilege level, they can create persistent XSS payloads that will affect all users who access compromised pages. This vulnerability directly aligns with ATT&CK technique T1566.001, which covers 'Phishing with malicious attachments', as the malicious scripts can be delivered through compromised plugin functionality rather than traditional email vectors.
Mitigation strategies for CVE-2026-3333 should prioritize immediate plugin updates to versions that address the XSS vulnerability, as this represents the most effective defense against the specific flaw. Organizations should also implement proper input validation and output escaping mechanisms within their WordPress installations, ensuring that all user-supplied content is properly sanitized before being processed or displayed. Network monitoring and intrusion detection systems should be configured to identify suspicious shortcode usage patterns that might indicate exploitation attempts. Additionally, administrators should enforce the principle of least privilege, limiting Contributor-level access to only trusted users and implementing additional security measures such as two-factor authentication to reduce the risk of unauthorized access to privileged accounts. The vulnerability highlights the importance of regular security audits and patch management processes to prevent similar issues from occurring in other plugin components or custom WordPress functionality.