CVE-2026-4067 is a stored Cross-Site Scripting vulnerability identified in the nocaredev Ad Short plugin for WordPress, affecting all versions up to and including 2.0.1. The vulnerability stems from the 'ad' shortcode's 'client' attribute, which is processed by the ad_func() shortcode handler. This handler uses shortcode_atts() to accept the 'client' attribute but fails to sanitize or escape this input before embedding it directly into a double-quoted HTML attribute (data-ad-client) without applying esc_attr() or equivalent sanitization functions. As a result, authenticated users with Contributor-level permissions or higher can inject arbitrary JavaScript code into pages via the shortcode. This malicious code is stored persistently and executed in the browsers of any users who visit the affected pages, enabling attacks such as session hijacking, defacement, or unauthorized actions within the context of the victim's session. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and scope change due to impact on other components. No public exploits have been reported yet, but the flaw poses a significant risk given WordPress's widespread use and the plugin's role in ad management.

The stored XSS vulnerability allows attackers with Contributor-level access to inject malicious scripts that execute in the browsers of users viewing the compromised pages. This can lead to theft of authentication cookies, enabling session hijacking, unauthorized actions performed on behalf of users, defacement of web content, or distribution of malware. Since the vulnerability affects a WordPress plugin used for ad management, it can undermine trust in the website and potentially impact revenue streams. The scope of impact extends beyond the initial attacker due to the stored nature of the XSS, affecting all visitors to the infected pages. Organizations relying on this plugin risk reputational damage, data breaches, and compliance violations if exploited. Although exploitation requires authenticated access, Contributor-level permissions are commonly granted to trusted users, increasing the risk of insider threats or compromised accounts being leveraged.

To mitigate CVE-2026-4067, organizations should first check for and apply any official patches or updates from nocaredev once available. In the absence of patches, immediate steps include disabling the Ad Short plugin or restricting Contributor-level access to trusted users only. Implement strict input validation and output escaping by modifying the plugin code to apply esc_attr() or equivalent sanitization functions to the 'client' shortcode attribute before rendering it in HTML. Conduct regular audits of user permissions to minimize the number of users with Contributor or higher roles. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'client' attribute. Monitor website content for unauthorized script injections and maintain robust logging to detect suspicious activities. Educate administrators and content creators about the risks of XSS and the importance of secure coding practices. Finally, consider isolating or sandboxing ad content to limit the impact of potential script execution.