The Sherk Custom Post Type Displays plugin for WordPress contains a stored Cross-Site Scripting vulnerability identified as CVE-2026-3554. The vulnerability is due to improper neutralization of input during web page generation (CWE-79). Specifically, the 'title' attribute of the 'sherkcptdisplays' shortcode is extracted via shortcode_atts() in the sherkcptdisplays_func() function without proper sanitization or escaping before being concatenated into an HTML <h2> element. This allows an authenticated attacker with Contributor-level permissions or higher to inject arbitrary JavaScript code into posts or pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or defacement. The vulnerability affects all versions up to and including 1.2.1 of the plugin. The CVSS 3.1 score of 6.4 reflects that the attack can be performed remotely over the network with low complexity but requires some privileges (Contributor or above). The scope is changed because the vulnerability affects other users viewing the injected content. No user interaction is needed beyond viewing the page. No patches have been published yet, and no known exploits are reported in the wild. The vulnerability highlights the importance of proper input validation and output escaping in WordPress shortcode implementations to prevent stored XSS attacks.

This vulnerability allows attackers with Contributor-level access to inject persistent malicious scripts into WordPress pages or posts, which execute in the browsers of any users who view the affected content. The impact includes potential theft of authentication cookies, enabling session hijacking and impersonation of legitimate users, including administrators if they view the infected pages. Attackers could also perform unauthorized actions on behalf of victims, deface websites, or redirect users to malicious sites. Although the vulnerability does not directly affect availability, the integrity and confidentiality of user data and site content are at risk. Organizations using this plugin on public-facing WordPress sites may face reputational damage, data breaches, and increased risk of further compromise. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but the widespread use of WordPress and this plugin increases the attack surface globally.

1. Immediately update the Sherk Custom Post Type Displays plugin to a fixed version once available from the vendor. Monitor official channels for patch releases. 2. Until a patch is released, restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious shortcode injection. 3. Implement a Web Application Firewall (WAF) with rules to detect and block suspicious script tags or JavaScript payloads in shortcode attributes or post content. 4. Use security plugins that sanitize shortcode inputs or apply output escaping filters on dynamic content rendering. 5. Conduct regular security audits of user-generated content and shortcode usage to detect anomalous scripts. 6. Educate site administrators and content editors about the risks of stored XSS and the importance of least privilege principles. 7. Consider disabling or replacing the vulnerable plugin with alternatives that follow secure coding practices if immediate patching is not feasible. 8. Monitor logs for unusual activity or signs of exploitation attempts related to shortcode content injection.