The MinhNhut Link Gateway plugin for WordPress suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2026-3333. This vulnerability is due to improper neutralization of input during web page generation (CWE-79), specifically in the handling of the 'linkgate' shortcode's user-supplied attributes. All plugin versions up to and including 3.6.1 are affected. Authenticated users with Contributor-level permissions or higher can inject arbitrary JavaScript code into pages by exploiting insufficient input sanitization and lack of proper output escaping. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions within the context of the affected site. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and a scope change due to the impact on other users. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those allowing Contributor-level user roles.

The primary impact of this vulnerability is the compromise of confidentiality and integrity for users visiting affected WordPress sites. Attackers can execute arbitrary scripts in the context of the site, leading to session hijacking, theft of sensitive information, defacement, or redirection to malicious sites. Since the vulnerability allows scope change, it can affect users beyond the attacker, potentially leading to widespread compromise of site visitors. Organizations relying on the MinhNhut Link Gateway plugin risk reputational damage, data breaches, and loss of user trust. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but many WordPress sites allow Contributor-level access to multiple users, increasing risk. The absence of known exploits currently reduces immediate threat but does not eliminate the risk of future attacks. The vulnerability does not affect availability directly but can indirectly impact site operations through malicious activity.

Organizations should immediately upgrade the MinhNhut Link Gateway plugin to a patched version once available. In the absence of a patch, administrators should restrict Contributor-level access and above to trusted users only, minimizing the risk of malicious input. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute patterns can provide interim protection. Site owners should audit existing content for injected scripts and remove any suspicious entries. Enforcing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Additionally, regular monitoring of user activity and logs can help detect exploitation attempts early. Educating users about the risks of elevated privileges and maintaining strong authentication controls will further reduce attack surface.