CVE-2026-1099 is a stored cross-site scripting vulnerability identified in the Administrative Shortcodes WordPress plugin developed by shazdeh. This vulnerability affects all plugin versions up to and including 0.3.4. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'login' and 'logout' shortcode attributes. These attributes accept user-supplied input that is embedded into pages without adequate filtering, allowing an authenticated attacker with Contributor-level or higher privileges to inject arbitrary JavaScript code. Because the malicious scripts are stored persistently in the WordPress database and rendered on pages, any user visiting the affected page will execute the injected code in their browser context. The vulnerability impacts confidentiality and integrity by enabling session hijacking, privilege escalation, or unauthorized actions on behalf of users. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to affecting other users. No patches or official fixes are currently linked, and no known exploits have been observed in the wild. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common and dangerous web application security flaw.

The primary impact of this vulnerability is the potential for attackers with low-level authenticated access to inject persistent malicious scripts into WordPress sites using the Administrative Shortcodes plugin. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of other users, and potential defacement or redirection attacks. Since the injected scripts execute in the context of any user viewing the compromised pages, including administrators, the integrity and confidentiality of the site and its users are at risk. While availability is not directly affected, the trustworthiness of the website can be severely damaged, potentially leading to reputational harm and loss of user confidence. Organizations relying on this plugin, especially those with multiple contributors or editors, face increased risk of insider threats or compromised accounts being leveraged for exploitation. The medium severity rating reflects the need for prompt remediation to prevent exploitation, especially in environments with multiple authenticated users.

To mitigate this vulnerability, organizations should first check for updates or patches from the plugin vendor and apply them immediately once available. In the absence of an official patch, administrators should consider temporarily disabling the Administrative Shortcodes plugin or removing the affected 'login' and 'logout' shortcodes from all pages and posts. Implement strict role-based access controls to limit Contributor-level and higher privileges only to trusted users. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute inputs that contain script tags or suspicious payloads. Conduct thorough input validation and output encoding on all shortcode attributes if custom development is possible. Regularly audit WordPress user accounts and monitor logs for unusual activities or unauthorized content changes. Educate content editors about the risks of injecting untrusted content and enforce security best practices for content management. Finally, consider deploying Content Security Policy (CSP) headers to reduce the impact of any potential XSS by restricting script execution sources.