CVE-2026-4084 in fyyd podcast shortcodes Plugin
Summary
by MITRE • 03/21/2026
The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fyyd-podcast', 'fyyd-episode', and 'fyyd' shortcodes in all versions up to, and including, 0.3.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'color', 'podcast_id', and 'podcast_slug'. These attributes are directly concatenated into inline JavaScript within single-quoted string arguments without any escaping or sanitization, allowing an attacker to break out of the JavaScript string context. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-4084 affects the fyyd podcast shortcodes plugin for WordPress, representing a critical stored cross-site scripting weakness that has been present in all versions up to and including 0.3.1. This security flaw resides in the plugin's handling of specific shortcodes including 'fyyd-podcast', 'fyyd-episode', and 'fyyd' which are commonly used to embed podcast content within WordPress posts and pages. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's shortcode implementation, creating an exploitable condition that allows attackers to inject malicious JavaScript code into the WordPress environment.
The technical exploitation of this vulnerability occurs through the improper handling of user-supplied attributes within the affected shortcodes. Specifically, attributes such as 'color', 'podcast_id', and 'podcast_slug' are directly incorporated into inline JavaScript code without appropriate sanitization or escaping procedures. When these attributes are processed, they are concatenated into single-quoted string arguments within JavaScript contexts, creating a path for attackers to break out of the intended string context and inject arbitrary JavaScript code. This type of vulnerability maps directly to CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') and represents a classic case of stored XSS where malicious scripts are permanently stored on the server and executed when victims access affected pages.
The operational impact of this vulnerability is significant as it requires only Contributor-level access or higher to exploit, making it particularly dangerous in WordPress environments where multiple users with varying permission levels may exist. Attackers with these privileges can inject malicious scripts that will execute whenever any user accesses a page containing the compromised shortcode. This creates a persistent threat vector that can be used for various malicious activities including credential theft, session hijacking, redirection to malicious sites, or even privilege escalation within the WordPress environment. The stored nature of the vulnerability means that once injected, the malicious code remains active until manually removed by administrators, potentially affecting numerous users over extended periods.
From a defensive perspective, this vulnerability aligns with ATT&CK technique T1546.001 - Event Triggered Execution: Change Default File Association, as it exploits the legitimate shortcode functionality to inject malicious code that executes within the context of normal user interactions. The recommended mitigations include immediate patching of the fyyd podcast shortcodes plugin to version 0.3.2 or later, which should contain proper input sanitization and output escaping mechanisms. Administrators should also implement strict input validation for all shortcode attributes, employ proper HTML and JavaScript escaping routines, and consider implementing content security policies to limit the execution of inline scripts. Additionally, regular security audits of WordPress plugins and themes should be conducted to identify similar vulnerabilities, and user privilege management should be carefully reviewed to limit the scope of potential exploitation. The vulnerability demonstrates the critical importance of proper input validation and output escaping in web applications, particularly when handling user-supplied data in contexts where it will be executed as code.