CVE-2026-4005 is a stored Cross-Site Scripting vulnerability in the Coachific Shortcode WordPress plugin. The flaw is due to improper neutralization of input during web page generation: the 'userhash' shortcode attribute is sanitized with sanitize_text_field(), which does not escape characters critical in JavaScript strings. The sanitized input is then interpolated directly into a JavaScript string inside a <script> tag without JavaScript-specific escaping functions like wp_json_encode() or esc_js(). This allows authenticated users with Contributor or higher privileges to inject malicious scripts that execute in the context of any user viewing the page. The vulnerability affects all versions up to and including 1.0. No patch or official remediation has been published as of the data provided.

Successful exploitation allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code that executes in the browsers of users who visit the compromised pages. This can lead to theft of user credentials, session hijacking, or other malicious actions limited to the scope of the injected script. The vulnerability does not affect availability and requires user interaction (visiting the injected page). The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and partial confidentiality and integrity impact.

No official patch or remediation is currently available for this vulnerability. Users should monitor the vendor's advisory channels for updates. As a temporary mitigation, restrict Contributor-level access if possible and review usage of the 'userhash' shortcode to avoid untrusted input. Avoid using the vulnerable plugin until a fix is released. Implementing additional input validation or output escaping at the application level may reduce risk but is not a substitute for an official fix.