{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4078", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-12T20:02:44.935Z", "datePublished": "2026-04-24T07:45:08.094Z", "dateUpdated": "2026-04-24T12:36:35.899Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-24T07:45:08.094Z"}, "affected": [{"vendor": "iteras", "product": "ITERAS", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.8.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ITERAS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes (iteras-ordering, iteras-signup, iteras-paywall-login, iteras-selfservice) in all versions up to and including 1.8.2. This is due to insufficient input sanitization and output escaping in the combine_attributes() function. The function directly concatenates shortcode attribute values into JavaScript code within <script> tags using double-quoted string interpolation (line 489: '\"'.$key.'\": \"'.$value.'\"') without any escaping. An attacker can break out of the JavaScript string context by including a double-quote character in a shortcode attribute value and inject arbitrary JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "ITERAS <= 1.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd034f43-370c-4ad9-ad02-4cae0f48d781?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L489"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L489"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L519"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L519"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L511"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L511"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L527"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L527"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L561"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L561"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L551"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L551"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3507724%40iteras&new=3507724%40iteras&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-04-23T19:20:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T12:36:27.289913Z", "id": "CVE-2026-4078", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T12:36:35.899Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4078", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T12:36:27.289913Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T12:36:32.248Z"}}], "cna": {"title": "ITERAS <= 1.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "iteras", "product": "ITERAS", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.8.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-23T19:20:52.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd034f43-370c-4ad9-ad02-4cae0f48d781?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L489"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L489"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L519"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L519"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L511"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L511"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L527"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L527"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L561"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L561"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L551"}, {"url": "https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L551"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3507724%40iteras&new=3507724%40iteras&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The ITERAS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes (iteras-ordering, iteras-signup, iteras-paywall-login, iteras-selfservice) in all versions up to and including 1.8.2. This is due to insufficient input sanitization and output escaping in the combine_attributes() function. The function directly concatenates shortcode attribute values into JavaScript code within <script> tags using double-quoted string interpolation (line 489: '\"'.$key.'\": \"'.$value.'\"') without any escaping. An attacker can break out of the JavaScript string context by including a double-quote character in a shortcode attribute value and inject arbitrary JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-24T07:45:08.094Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4078", "state": "PUBLISHED", "dateUpdated": "2026-04-24T12:36:35.899Z", "dateReserved": "2026-03-12T20:02:44.935Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-24T07:45:08.094Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ITERAS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes (iteras-ordering, iteras-signup, iteras-paywall-login, iteras-selfservice) in all versions up to and including 1.8.2. This is due to insufficient input sanitization and output escaping in the combine_attributes() function. The function directly concatenates shortcode attribute values into JavaScript code within <script> tags using double-quoted string interpolation (line 489: '\"'.$key.'\": \"'.$value.'\"') without any escaping. An attacker can break out of the JavaScript string context by including a double-quote character in a shortcode attribute value and inject arbitrary JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4078", "lastModified": "2026-04-24T14:38:26.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-24T08:16:30.373", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L489"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L511"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L519"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L527"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L551"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/iteras/tags/1.8.2/public/iteras-public.php#L561"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L489"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L511"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L519"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L527"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L551"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/iteras/trunk/public/iteras-public.php#L561"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3507724%40iteras&new=3507724%40iteras&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd034f43-370c-4ad9-ad02-4cae0f48d781?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ITERAS", "source": "cna", "vendor": "iteras"}, "product": "iteras", "vendor": "iteras"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T14:23:29.409085+00:00", "value": {"mitigation_remediation": ["Apply the latest version of ITERAS (1.8.3 or newer) to remove the vulnerable combine_attributes() implementation.", "If an immediate upgrade is not feasible, restrict the plugin\u2019s usage to administrator accounts only and revoke Contributor and lower roles from users who do not need to edit the plugin\u2019s shortcode attributes.", "Disable or sanitize shortcode processing by removing or configuring the iterate_shortcode hooks until a patched version is available."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites using the ITERAS plugin version 1.8.2 or earlier are affected. The plugin is identified as iteras:ITERAS by the CNA and can be found under all releases up to and including 1.8.2.", "description_and_impact": "The ITERAS WordPress plugin contains a stored cross\u2011site scripting flaw that allows an authenticated user with Contributor or higher privileges to inject JavaScript into web pages. The vulnerability resides in the combine_attributes() method, which concatenates shortcode attribute values directly into a JavaScript object inside a <script> tag without proper escaping. By inserting a double\u2011quote into a shortcode attribute, an attacker can break out of the string context and inject arbitrary script that will run whenever a page containing the malicious shortcode is rendered.", "risk_and_exploitability": "The CVSS v3 score of 6.4 classifies this vulnerability as medium severity. The EPSS probability is reported as < 1\u202f%, indicating a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Exploitation requires the attacker to be able to authenticate to the WordPress installation with at least Contributor permissions, which is a non\u2011trivial but realistic prerequisite for users who contribute content. Once an attacker injects malicious script, any visitor who views the affected page will execute the script in their browser, enabling cookie theft, session hijacking, or delivery of additional malware."}}}}, "created": "2026-04-28T09:18:04.724770+00:00", "updated": "2026-04-28T14:30:33.759311+00:00", "vendors": ["iteras", "iteras$PRODUCT$iteras", "wordpress", "wordpress$PRODUCT$wordpress"]}