{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1804", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-03T13:47:01.171Z", "datePublished": "2026-02-11T08:26:24.847Z", "dateUpdated": "2026-04-08T16:47:07.525Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:07.525Z"}, "affected": [{"vendor": "master-buldog", "product": "WDES Responsive Popup", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WDES Responsive Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wdes-popup-title' shortcode in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WDES Responsive Popup <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'attr' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3afdffa7-23ec-41ea-b05a-152a69b7ce50?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wdes-responsive-popup/tags/1.3.6/wdes-popup.php#L111"}, {"url": "https://plugins.trac.wordpress.org/browser/wdes-responsive-popup/tags/1.3.6/lib/view/title.php#L77"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-02-10T20:09:37.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T15:37:11.143713Z", "id": "CVE-2026-1804", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:45:07.613Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1804", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T15:37:11.143713Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:37:11.980Z"}}], "cna": {"title": "WDES Responsive Popup <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'attr' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "master-buldog", "product": "WDES Responsive Popup", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-10T20:09:37.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3afdffa7-23ec-41ea-b05a-152a69b7ce50?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wdes-responsive-popup/tags/1.3.6/wdes-popup.php#L111"}, {"url": "https://plugins.trac.wordpress.org/browser/wdes-responsive-popup/tags/1.3.6/lib/view/title.php#L77"}], "descriptions": [{"lang": "en", "value": "The WDES Responsive Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wdes-popup-title' shortcode in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:07.525Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1804", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:47:07.525Z", "dateReserved": "2026-02-03T13:47:01.171Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-11T08:26:24.847Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WDES Responsive Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wdes-popup-title' shortcode in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin WDES Responsive Popup para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del shortcode 'wdes-popup-title' del plugin en todas las versiones hasta la 1.3.6, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1804", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-11T09:15:51.863", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wdes-responsive-popup/tags/1.3.6/lib/view/title.php#L77"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wdes-responsive-popup/tags/1.3.6/wdes-popup.php#L111"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3afdffa7-23ec-41ea-b05a-152a69b7ce50?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.3.6]"}}], "product": "wdes_responsive_popup", "vendor": "master-buldog"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T21:12:47.407115+00:00", "value": {"mitigation_remediation": ["Update the WDES Responsive Popup plugin to the latest version that removes the unsafe shortcut handling.", "If an update is not immediately available, remove or disable the plugin and any active shortcodes until the fix can be applied.", "Restrict contributor and lower\u2011privilege roles from editing popup content, or limit the use of the 'wdes-popup-title' shortcode to administrators only."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting that allows an attacker to inject arbitrary scripts into webpages seen by other users"}, "threat_synthesis": {"affected_systems": "All installations of the WDES Responsive Popup plugin version 1.3.6 and earlier. The plugin is distributed by the master\u2011buldog vendor for WordPress. Sites that use the plugin with contributor\u2011level or higher privileges are vulnerable.", "description_and_impact": "The vulnerability resides in the WDES Responsive Popup WordPress plugin, where the 'wdes-popup-title' shortcode does not properly sanitize or escape user\u2011supplied attributes. Because of this, code injected into the title attribute can be stored in the database and later rendered on any page that displays the popup, enabling arbitrary script execution in the context of the site\u2019s users. This is a classic input validation weakness classified as CWE\u201179, and the impact is the potential compromise of confidentiality, integrity, and availability of affected users\u2019 browsers.", "risk_and_exploitability": "With a CVSS base score of 6.4 the vulnerability is moderately severe. The EPSS score is reported as < 1%, indicating a low\u2011to\u2011moderate probability of exploitation, and it is not listed in the CISA KEV catalog. The attack can be carried out by any authenticated user with contributor or higher access, who can edit the shortcode\u2019s title attribute and insert malicious code. Once injected, the script executes for any visitor who views a page that includes the popup. The scope is limited to the site\u2019s user base, but the impact on each user is significant."}}}}, "created": "2026-02-11T21:46:05.493392+00:00", "updated": "2026-04-15T21:15:13.589234+00:00", "vendors": ["master-buldog", "master-buldog$PRODUCT$wdes_responsive_popup", "wordpress", "wordpress$PRODUCT$wordpress"]}