– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-1912 (metadata-based):
This vulnerability is an authenticated Stored Cross-Site Scripting (XSS) flaw in the Citations Tools WordPress plugin, versions up to and including 0.3.2. The vulnerability exists in the ‘ctdoi’ shortcode’s ‘code’ attribute. Attackers with Contributor-level access or higher can inject malicious scripts that execute when a user views a compromised page or post. The CVSS score of 6.4 (Medium) reflects the requirement for authentication, but the stored nature and potential for session hijacking increase its severity in a WordPress context.

Atomic Edge research identifies the root cause as insufficient input sanitization and output escaping on user-supplied shortcode attributes. The plugin likely registers a shortcode handler for ‘ctdoi’ that directly echoes or unsafely outputs the ‘code’ attribute value without proper escaping. This is a classic CWE-79 violation. The analysis infers the lack of proper escaping functions like `esc_attr()` for attribute context or `wp_kses()` for sanitization. Without a code diff, this conclusion is based on the CWE classification and the standard WordPress shortcode implementation pattern.

Exploitation requires an authenticated user with at least the ‘contributor’ role. The attacker would create or edit a post, embedding the vulnerable shortcode with a malicious payload in the ‘code’ attribute. For example: [ctdoi code=”“] The payload is stored in the post content. It executes in the browser of any user who views that post. The attack vector is the WordPress post editor; no direct endpoint like admin-ajax.php is required, as the exploit leverages the core shortcode processing system.

Remediation requires implementing proper output escaping. The plugin should use the `esc_attr()` function when outputting the ‘code’ attribute value within an HTML attribute context. Alternatively, the plugin could implement input sanitization using `sanitize_text_field()` or a more restrictive allow-list when registering the shortcode attribute. A secure shortcode callback must treat all user-supplied attributes as untrusted and escape them appropriately for their output context.

The impact of successful exploitation is client-side code execution in the context of the victim’s browser session. This can lead to session hijacking, administrative actions performed by a logged-in administrator, content defacement, or redirection to malicious sites. While the vulnerability requires Contributor access, this role is commonly granted in multi-author sites, and the stored payload can affect all site visitors, amplifying the risk.