WWordPress Vulnerability Database

Community Alert XSS Vulnerability in WDES Popup(CVE20261804)

Cross Site Scripting (XSS) in WordPress WDES Responsive Popup Plugin
0
Shares
0
0
0
0
Plugin Name WDES Responsive Popup
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2026-1804
Urgency Low
CVE Publish Date 2026-02-12
Source URL CVE-2026-1804

Authenticated (Contributor) Stored XSS in WDES Responsive Popup (≤ 1.3.6) — What WordPress Site Owners and Developers Must Do Now

By a Hong Kong security expert — concise, practical guidance for site owners and developers.

Summary: A stored Cross‑Site Scripting (XSS) vulnerability (CVE‑2026‑1804) affects the WDES Responsive Popup WordPress plugin (versions ≤ 1.3.6). An authenticated user with Contributor privileges can inject malicious payloads via the plugin’s shortcode attr attribute; these payloads are persisted and later executed in privileged contexts. This article explains the technical root cause, realistic impact, detection methods, immediate mitigations, WAF rule examples, and secure coding guidance for plugin authors.

Why this matters (short answer)

Stored XSS is dangerous because malicious input is persisted and executed when other users — often administrators or editors — view content. Even though an attacker must be authenticated with Contributor privileges, that is sufficient to embed JavaScript or event attributes that execute in a higher‑privileged user’s browser. Consequences include session theft, account takeover, content modification, and execution of privileged actions in the victim’s browser.

Treat any stored XSS that renders user‑submitted attributes as high risk on sites where Contributors, Authors or Editors can add content. Defend in depth: remove or patch the offending plugin, audit site content, and apply edge filtering or virtual patches while performing a thorough remediation.

Background: how stored XSS via shortcode attributes works

Shortcodes let plugins insert dynamic content into post content. Shortcode handlers receive attributes from post content:

Example usage in a post: [popup attr="some value"]

If the plugin echoes the attribute directly into HTML (for example into an attribute value or inline HTML) without proper escaping or sanitization, an attacker who can create or edit content can include scripts or event handlers in that attr value. Because that content is stored in the database (post_content), the malicious input can later be rendered in a context where it runs in someone else’s browser.

Typical unsafe pattern:

// unsafe example (vulnerable)
echo '
...
';

If $atts['attr'] contains