{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3997", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-11T17:06:39.345Z", "datePublished": "2026-03-21T03:27:09.049Z", "dateUpdated": "2026-04-08T17:26:38.506Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:38.506Z"}, "affected": [{"vendor": "hoosierdragon", "product": "Text Toggle", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the [tt_part] and [tt] shortcodes in all versions up to and including 1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the avp_texttoggle_part_shortcode() function, the 'title' attribute is extracted from shortcode attributes and concatenated directly into HTML output without any escaping \u2014 both within an HTML attribute context (title=\"...\") on line 116 and in HTML content on line 119. While the 'class' attribute is properly validated using ctype_alnum(), the 'title' attribute has no sanitization whatsoever. An attacker can inject double-quote characters to break out of the title attribute and inject arbitrary HTML attributes including event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Text Toggle <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7ac0683-120f-4e76-9d44-5ee1c789b2c8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/text-toggle/trunk/avp-texttoggle.php#L116"}, {"url": "https://plugins.trac.wordpress.org/browser/text-toggle/tags/1.1/avp-texttoggle.php#L116"}, {"url": "https://plugins.trac.wordpress.org/browser/text-toggle/trunk/avp-texttoggle.php#L119"}, {"url": "https://plugins.trac.wordpress.org/browser/text-toggle/tags/1.1/avp-texttoggle.php#L119"}, {"url": "https://plugins.trac.wordpress.org/browser/text-toggle/trunk/avp-texttoggle.php#L108"}, {"url": "https://plugins.trac.wordpress.org/browser/text-toggle/tags/1.1/avp-texttoggle.php#L108"}, {"url": "https://plugins.trac.wordpress.org/browser/text-toggle/trunk/avp-texttoggle.php#L72"}, {"url": "https://plugins.trac.wordpress.org/browser/text-toggle/tags/1.1/avp-texttoggle.php#L72"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2026-03-20T15:07:17.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:26:51.488981Z", "id": "CVE-2026-3997", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:27:00.639Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3997", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:26:51.488981Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:26:57.228Z"}}], "cna": {"title": "Text Toggle <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "hoosierdragon", "product": "Text Toggle", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:07:17.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7ac0683-120f-4e76-9d44-5ee1c789b2c8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/text-toggle/trunk/avp-texttoggle.php#L116"}, {"url": "https://plugins.trac.wordpress.org/browser/text-toggle/tags/1.1/avp-texttoggle.php#L116"}, {"url": "https://plugins.trac.wordpress.org/browser/text-toggle/trunk/avp-texttoggle.php#L119"}, {"url": "https://plugins.trac.wordpress.org/browser/text-toggle/tags/1.1/avp-texttoggle.php#L119"}, {"url": "https://plugins.trac.wordpress.org/browser/text-toggle/trunk/avp-texttoggle.php#L108"}, {"url": "https://plugins.trac.wordpress.org/browser/text-toggle/tags/1.1/avp-texttoggle.php#L108"}, {"url": "https://plugins.trac.wordpress.org/browser/text-toggle/trunk/avp-texttoggle.php#L72"}, {"url": "https://plugins.trac.wordpress.org/browser/text-toggle/tags/1.1/avp-texttoggle.php#L72"}], "descriptions": [{"lang": "en", "value": "The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the [tt_part] and [tt] shortcodes in all versions up to and including 1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the avp_texttoggle_part_shortcode() function, the 'title' attribute is extracted from shortcode attributes and concatenated directly into HTML output without any escaping \u2014 both within an HTML attribute context (title=\"...\") on line 116 and in HTML content on line 119. While the 'class' attribute is properly validated using ctype_alnum(), the 'title' attribute has no sanitization whatsoever. An attacker can inject double-quote characters to break out of the title attribute and inject arbitrary HTML attributes including event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:38.506Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3997", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:26:38.506Z", "dateReserved": "2026-03-11T17:06:39.345Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:27:09.049Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the [tt_part] and [tt] shortcodes in all versions up to and including 1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the avp_texttoggle_part_shortcode() function, the 'title' attribute is extracted from shortcode attributes and concatenated directly into HTML output without any escaping \u2014 both within an HTML attribute context (title=\"...\") on line 116 and in HTML content on line 119. While the 'class' attribute is properly validated using ctype_alnum(), the 'title' attribute has no sanitization whatsoever. An attacker can inject double-quote characters to break out of the title attribute and inject arbitrary HTML attributes including event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Text Toggle para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del atributo 'title' del shortcode de los shortcodes [tt_part] y [tt] en todas las versiones hasta la 1.1 inclusive. Esto se debe a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en los atributos de shortcode proporcionados por el usuario. Espec\u00edficamente, en la funci\u00f3n avp_texttoggle_part_shortcode(), el atributo 'title' se extrae de los atributos del shortcode y se concatena directamente en la salida HTML sin ning\u00fan escape \u2014 tanto dentro de un contexto de atributo HTML (title=\"...\") en la l\u00ednea 116 como en el contenido HTML en la l\u00ednea 119. Mientras que el atributo 'class' se valida correctamente usando ctype_alnum(), el atributo 'title' no tiene ninguna sanitizaci\u00f3n en absoluto. Un atacante puede inyectar caracteres de comillas dobles para salir del atributo title e inyectar atributos HTML arbitrarios, incluidos los controladores de eventos. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-3997", "lastModified": "2026-04-24T16:27:44.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:17:37.530", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/text-toggle/tags/1.1/avp-texttoggle.php#L108"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/text-toggle/tags/1.1/avp-texttoggle.php#L116"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/text-toggle/tags/1.1/avp-texttoggle.php#L119"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/text-toggle/tags/1.1/avp-texttoggle.php#L72"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/text-toggle/trunk/avp-texttoggle.php#L108"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/text-toggle/trunk/avp-texttoggle.php#L116"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/text-toggle/trunk/avp-texttoggle.php#L119"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/text-toggle/trunk/avp-texttoggle.php#L72"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7ac0683-120f-4e76-9d44-5ee1c789b2c8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Text Toggle", "source": "cna", "vendor": "hoosierdragon"}, "product": "text_toggle", "vendor": "hoosierdragon"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T07:10:35.112091+00:00", "value": {"mitigation_remediation": ["Upgrade the Text Toggle plugin to the latest version available in the WordPress repository", "If an upgrade is not possible, remove or deactivate the plugin entirely to eliminate the attack surface", "Block Contributor and higher role users from editing or publishing content that includes shortcodes until the issue is resolved", "Apply site\u2011wide input sanitization for shortcode attributes as a temporary workaround", "Verify existing content for injected malicious titles and cleanse or delete affected posts", "Maintain regular backups before applying changes so reversible actions are possible"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting via plugin shortcode title attribute"}, "threat_synthesis": {"affected_systems": "Any WordPress installation running the hoosierdragon Text Toggle plugin version 1.1 or earlier is impacted. Sites using these versions must have the plugin enabled; the flaw is triggered only when a user with Contributor\u2011level or higher privileges creates or edits a post containing a vulnerable shortcode.", "description_and_impact": "The Text Toggle plugin for WordPress is susceptible to stored cross\u2011site scripting when the 'title' attribute of the [tt_part] or [tt] shortcodes is used. Because the plugin concatenates the raw attribute value directly into both an HTML attribute and regular content without escaping, an attacker can inject quote characters and arbitrary event\u2011handler attributes, allowing execution of malicious scripts in the browser of any visitor to the affected page. This vulnerability is classified as CWE\u201179, meaning it can compromise confidentiality, integrity, and availability through script injection.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers need authenticated Contributor (+) access to insert the malicious shortcode; once the payload is stored, it will be rendered and executed for all users who view the page, making the exploit highly effective but limited to sites that allow such content editing by that role."}}}}, "created": "2026-03-23T09:49:51.580881+00:00", "updated": "2026-03-25T14:41:31.463819+00:00", "vendors": ["hoosierdragon", "hoosierdragon$PRODUCT$text_toggle", "wordpress", "wordpress$PRODUCT$wordpress"]}