The WP Games Embed plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2026-3996. This vulnerability stems from the plugin's failure to properly sanitize and escape user-supplied input in shortcode attributes such as 'width', 'height', 'src', 'title', 'description', 'game_url', 'main', and 'thumb'. These attributes are directly concatenated into HTML output without any escaping, enabling an attacker with Contributor-level or higher privileges to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes each time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability does not require user interaction but does require authenticated access, limiting exploitation to users with some level of trust within the WordPress environment. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, privileges required, no user interaction, scope changed, and low impact on confidentiality and integrity, no impact on availability. No patches or exploits are currently publicly available, but the risk remains significant for sites using this plugin without mitigation.

This vulnerability allows authenticated users with Contributor-level access or higher to inject persistent malicious scripts into WordPress pages, which execute in the context of any user visiting those pages. The impact includes potential theft of session cookies, enabling account takeover, defacement of website content, and the ability to perform unauthorized actions on behalf of other users, including administrators. For organizations, this can lead to compromised user accounts, loss of data integrity, reputational damage, and potential regulatory consequences if user data is exposed. Since the vulnerability affects all versions up to 0.1beta of the WP Games Embed plugin, any WordPress site using this plugin is at risk. The requirement for authenticated access reduces the attack surface but does not eliminate it, especially in environments with multiple contributors or less stringent user management. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the immediate plugin, potentially impacting the entire WordPress site.

1. Immediately restrict Contributor-level and higher user permissions to trusted individuals only, minimizing the risk of malicious shortcode injection. 2. Disable or uninstall the WP Games Embed plugin if it is not essential to your site’s functionality. 3. If continued use is necessary, implement a Web Application Firewall (WAF) with custom rules to detect and block suspicious shortcode attribute inputs containing script tags or event handlers. 4. Monitor and audit shortcode usage and content submitted by contributors to detect anomalous or malicious entries. 5. Apply manual input sanitization by filtering or escaping shortcode attributes before rendering, if you have development resources to patch the plugin locally. 6. Keep abreast of vendor updates or patches and apply them promptly once available. 7. Educate content contributors about the risks of injecting untrusted content and enforce strict content submission guidelines. 8. Regularly scan your WordPress site with security tools to detect stored XSS or other injection vulnerabilities.