CVE-2026-3554 in Sherk Custom Post Type Displays Plugin
Summary
by MITRE • 03/21/2026
The Sherk Custom Post Type Displays plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the 'title' attribute of the 'sherkcptdisplays' shortcode. Specifically, in the sherkcptdisplays_func() function in includes/SherkCPTDisplaysShortcode.php, the 'title' attribute value is extracted from shortcode_atts() on line 19 and directly concatenated into an HTML tag on line 31 without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-3554 affects the Sherk Custom Post Type Displays plugin for WordPress, specifically targeting versions up to and including 1.2.1. This represents a critical security flaw that enables stored cross-site scripting attacks through the plugin's shortcode functionality. The vulnerability stems from inadequate input validation and output sanitization mechanisms within the plugin's codebase, creating an exploitable condition that can be leveraged by authenticated users with contributor-level privileges or higher. The issue manifests through the 'title' attribute of the 'sherkcptdisplays' shortcode, which serves as the primary attack vector for executing malicious scripts within the targeted WordPress environment.
The technical implementation of this vulnerability occurs within the sherkcptdisplays_func() function located in the includes/SherkCPTDisplaysShortcode.php file. On line 19, the plugin extracts the 'title' attribute value using the shortcode_atts() function, which is a standard WordPress method for processing shortcode attributes. However, the extracted value is subsequently directly concatenated into an HTML tag on line 31 without any form of output escaping or sanitization. This direct concatenation bypasses WordPress's built-in security measures that typically protect against XSS attacks by properly escaping HTML entities before rendering user-supplied content. The absence of proper escaping creates a persistent XSS vulnerability where malicious scripts can be stored and executed whenever affected pages are accessed by other users.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to perform various malicious activities within the compromised WordPress environment. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts that will execute whenever any user accesses pages containing the injected content. This creates a persistent threat that can be used for session hijacking, credential theft, data exfiltration, or further exploitation of the WordPress installation. The vulnerability affects all users who access pages containing the compromised shortcode, making it particularly dangerous in multi-user environments where administrators and editors may inadvertently view infected content. The stored nature of the vulnerability means that the malicious scripts remain active until manually removed from the content, creating a long-term security risk that can persist even after the initial attack vector is identified.
This vulnerability maps directly to CWE-79, which describes Cross-Site Scripting (XSS) flaws in software applications. The specific implementation pattern aligns with ATT&CK technique T1566.001, which covers "Phishing with Social Engineering" through the exploitation of web application vulnerabilities. The attack requires minimal privileges to execute, making it particularly concerning as it can be exploited by users who normally have limited access rights within the WordPress system. The vulnerability represents a classic case of insufficient output escaping in web applications, where user-controllable data is directly rendered into HTML without proper sanitization. Organizations should consider implementing input validation at multiple layers, including both client-side and server-side processing, to prevent similar vulnerabilities from occurring in their WordPress installations. The recommended mitigation involves immediate patching of the plugin to version 1.2.2 or later, where proper output escaping has been implemented to prevent the direct concatenation of user input into HTML elements without sanitization.