CVE-2026-3996 in WP Games Embed Plugin
Summary
by MITRE • 03/21/2026
The WP Games Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [game] shortcode in all versions up to and including 0.1beta. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'width', 'height', 'src', 'title', 'description', 'game_url', 'main', and 'thumb', which are all directly concatenated into HTML output without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The WP Games Embed plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2026-3996 affecting all versions through 0.1beta. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's shortcode implementation. The flaw specifically impacts the [game] shortcode functionality where user-supplied attributes including width, height, src, title, description, game_url, main, and thumb parameters are directly incorporated into HTML output without proper sanitization measures. The vulnerability manifests when authenticated attackers with Contributor-level privileges or higher exploit this weakness to inject malicious JavaScript code into the plugin's shortcode attributes.
The technical exploitation of this vulnerability occurs through the direct concatenation of user-supplied parameters into HTML markup without appropriate escaping or sanitization procedures. This stored XSS vulnerability allows attackers to persistently inject malicious scripts that execute whenever any user accesses pages containing the compromised shortcode content. The attack vector leverages the plugin's insufficient validation of input parameters, enabling threat actors to manipulate the shortcode attributes in ways that bypass standard security controls. The vulnerability affects the core functionality of WordPress by compromising the integrity of content rendered through the plugin's game embedding features.
From an operational impact perspective, this vulnerability creates significant security risks for WordPress installations using the affected plugin. Authenticated attackers with Contributor-level access can establish persistent backdoors or execute malicious code execution against unsuspecting users who view pages containing the compromised content. The stored nature of the vulnerability means that once injected, the malicious scripts remain active until manually removed, potentially affecting all users who access the compromised pages. This creates a sustained threat vector that can be used for credential theft, session hijacking, or redirection to malicious sites.
The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications, and corresponds to ATT&CK technique T1566.001 for initial access through malicious content. Organizations using this plugin face potential data breaches, unauthorized access to user sessions, and compromise of the entire WordPress installation. The attack requires minimal privileges and can be executed through standard content management workflows, making it particularly dangerous for sites with multiple contributors. Security practitioners should consider this vulnerability as a high-priority threat requiring immediate remediation.
Mitigation strategies include immediate patching of the plugin to version 0.1beta or later where the vulnerability has been addressed through proper input sanitization and output escaping mechanisms. Administrators should also implement additional security measures such as restricting contributor permissions, monitoring content changes, and implementing web application firewalls to detect and block malicious payload injection attempts. Regular security audits of WordPress plugins and themes remain essential for identifying similar vulnerabilities. The recommended approach involves comprehensive input validation, output encoding, and principle of least privilege access controls to prevent unauthorized content modification. Organizations should also establish incident response procedures to address potential exploitation attempts and monitor for suspicious content modifications in their WordPress installations.