WWordPress Vulnerability Database

Hong Kong Security Alert WordPress Sticky XSS(CVE20266397)

Cross Site Scripting (XSS) in WordPress Sticky Plugin
0
Shares
0
0
0
0






Urgent: CVE-2026-6397 — Stored XSS in Sticky plugin (<= 2.5.6)


Plugin Name Sticky
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2026-6397
Urgency Low
CVE Publish Date 2026-05-20
Source URL CVE-2026-6397

Urgent: CVE-2026-6397 — Stored XSS in Sticky plugin (<= 2.5.6)

Published: 19 May, 2026   |   Severity: Low   |   CVSS: 6.5   |   Affected versions: Sticky plugin <= 2.5.6   |   Required privilege to inject: Contributor

As a Hong Kong security expert speaking plainly: this is a stored (persistent) cross-site scripting (XSS) issue in the Sticky plugin up to version 2.5.6. An attacker with creator/contributor access can save HTML/JavaScript into the plugin’s data store. That payload can later run in the browser of a privileged user or a site visitor and perform actions such as session theft, unauthorized requests, content tampering, or further compromise of the site.

This post explains the vulnerability, realistic exploitation paths, detection steps, and immediate and longer-term mitigations. The guidance is practical and aimed at site owners, administrators, and developers responsible for WordPress sites in production environments.

Table of contents

  • Quick technical summary
  • What is stored XSS and why it’s dangerous
  • Exploitation scenarios you should worry about
  • Indicators of compromise (IoCs) and how to hunt for injected content
  • Immediate mitigation steps (stop the bleeding)
  • Recovery and cleanup checklist
  • Hardening contributor and other low-privilege roles
  • Detection and prevention strategies for the future
  • Practical quick checklist (copy-and-paste)
  • Final thoughts

Quick technical summary

  • The Sticky plugin (<= 2.5.6) contains a stored XSS vulnerability allowing a user with Contributor privileges to save JavaScript/HTML that is later rendered unescaped in admin or front-end contexts.
  • Stored XSS means the malicious payload is persisted in the database and will execute when rendered; it does not require the attacker to trigger it later.
  • Exploitation needs a privileged user to view or interact with the rendered content (admin/editor) or a site visitor, depending on where the plugin displays stored content.
  • Public disclosure: CVE-2026-6397 (disclosed 19 May 2026). If an official patch is released, update immediately. If not, follow the mitigations below.

What is stored XSS, and why you should care

Cross-site scripting (XSS) is an injection primitive where an attacker causes script to run in another user’s browser. Stored XSS is particularly dangerous because the malicious content is kept on the server and will run when someone views that content.

Practical impacts:

  • Script execution in a privileged user’s browser can lead to session cookie theft, token leakage, or actions performed via the victim’s credentials (REST API calls, changing settings, creating accounts).
  • Stored XSS is often the first step: initial foothold → privilege escalation → install backdoors → persistent compromise.
  • SEO and reputation damage if users are redirected or malicious content is served publicly.

Exploitation scenarios — how an attacker might use this vulnerability

  1. Account creation / social engineering

    • Attacker registers as a contributor (or compromises one).
    • Using contributor privileges, attacker inserts sticky content, widget content, or plugin meta containing