– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-6725: This vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the WPC Smart Messages for WooCommerce plugin, versions up to and including 4.2.8. It affects the ‘wpcsm_text_rotator’ shortcode. An authenticated attacker with contributor-level access or higher can inject arbitrary web scripts. The vulnerability carries a CVSS score of 6.4 (Medium).

The root cause lies in insufficient input sanitization and output escaping of user-supplied shortcode attributes. In the file ‘wpc-smart-messages/includes/class-shortcode.php’, the ‘text’ attribute of the ‘wpcsm_text_rotator’ shortcode is output directly into HTML without escaping. The vulnerable code is on line 459: `$output .= ‘‘ . $attrs[‘text’] . ‘‘;`. Similarly, on lines 493 and 497, the ‘text’ attribute is used as a format string in `sprintf()` without escaping: `sprintf( $attrs[‘text’], … )`.

Exploitation requires an attacker to be an authenticated user with at least contributor-level permissions in WordPress. The attacker creates or edits a post or page and inserts the ‘wpcsm_text_rotator’ shortcode. The attacker provides a malicious payload in the ‘text’ attribute of the shortcode. For example: `[wpcsm_text_rotator text=”alert(‘XSS’)”]`. When the page is rendered for any visitor, the injected script executes in their browser context.

The patch, introduced in version 4.2.9, applies proper output escaping. The direct output of the ‘text’ attribute on line 459 is now wrapped with `esc_html()`: `esc_html( $attrs[‘text’] )`. The format string usage in `sprintf()` on lines 493 and 497 is also sanitized: `sprintf( esc_html( $attrs[‘text’] ), … )`. This ensures any HTML or JavaScript in the attribute is encoded, preventing script execution.

Successful exploitation allows an attacker to inject arbitrary JavaScript into pages of the WordPress site. This can lead to session hijacking, cookie theft, phishing attacks, defacement, or redirection to malicious sites. The attack executes in the security context of the logged-in user viewing the page, potentially compromising administrative accounts.