CVE-2026-4067 in Ad Short Plugin
Summary
by MITRE • 03/21/2026
The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' shortcode's 'client' attribute in all versions up to and including 2.0.1. This is due to insufficient input sanitization and output escaping on the 'client' shortcode attribute. The ad_func() shortcode handler at line 71 accepts a 'client' attribute via shortcode_atts() and directly concatenates it into a double-quoted HTML attribute (data-ad-client) at line 130 without applying esc_attr() or any other sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified in CVE-2026-4067 affects the Ad Short plugin for WordPress, specifically targeting versions up to and including 2.0.1. This represents a critical security flaw that enables stored cross-site scripting attacks through the plugin's shortcode functionality. The issue stems from inadequate input validation and output sanitization mechanisms within the plugin's codebase, creating a persistent vector for malicious code injection that can compromise user sessions and data integrity.
The technical flaw manifests within the ad_func() shortcode handler function at line 71 where the 'client' attribute is processed through shortcode_atts() without proper sanitization. The vulnerability occurs at line 130 where the unsanitized attribute value is directly concatenated into an HTML attribute (data-ad-client) within a double-quoted context. This primitive concatenation approach bypasses WordPress's built-in security measures and fails to apply essential escaping functions like esc_attr() that would normally protect against script injection attacks. The vulnerability is classified under CWE-79 as a failure to escape output, specifically manifesting as a stored XSS vulnerability that allows attackers to persist malicious scripts within the plugin's configuration parameters.
The operational impact of this vulnerability is significant as it requires only Contributor-level access or higher to exploit, making it particularly dangerous in multi-user WordPress environments where less privileged users might have administrative capabilities. Authenticated attackers can inject arbitrary JavaScript code that will execute whenever any user accesses a page containing the compromised shortcode, potentially leading to session hijacking, data theft, or further privilege escalation within the WordPress environment. The stored nature of this vulnerability means that once injected, malicious scripts will persist and execute automatically without requiring additional user interaction, creating a persistent threat vector that can affect all users who view affected pages.
The attack surface is particularly concerning given that this vulnerability affects a widely used advertising plugin, potentially exposing thousands of WordPress installations to automated exploitation. The vulnerability aligns with ATT&CK technique T1548.001 (Abuse Elevation Control Mechanism) as it allows privilege escalation through the manipulation of shortcode attributes that should be restricted to legitimate advertising parameters. Organizations should immediately implement the recommended mitigations including updating to the patched version of the plugin, implementing proper input validation, and applying additional security measures such as content security policies to limit the execution of unauthorized scripts. Additionally, administrators should conduct thorough security audits of all installed plugins to identify similar vulnerabilities and consider implementing web application firewalls to detect and prevent exploitation attempts.