CVE-2026-4084 is a stored cross-site scripting vulnerability in the fyyd podcast shortcodes plugin for WordPress. The flaw arises from improper neutralization of input (CWE-79) in shortcode attributes such as 'color', 'podcast_id', and 'podcast_slug'. These attributes are concatenated directly into inline JavaScript single-quoted strings without escaping, allowing an attacker with Contributor-level privileges or higher to inject arbitrary JavaScript code. This injected code executes in the context of users viewing the compromised pages, potentially leading to session hijacking or other script-based attacks. The vulnerability affects all versions up to and including 0.3.1. There is no vendor advisory or patch information available, and no known exploits in the wild have been reported.

An attacker with authenticated Contributor-level access or above can inject malicious JavaScript into pages using the vulnerable shortcodes. This script executes in the browsers of users who visit those pages, potentially leading to theft of user credentials, session tokens, or other malicious actions within the context of the affected site. The vulnerability does not impact availability but can compromise confidentiality and integrity of user interactions. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, and required privileges.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Contributor-level and higher access to trusted users only. Avoid using the vulnerable shortcodes or remove the plugin if possible. Monitor for updates from the plugin author or WordPress security channels for an official patch or mitigation instructions.