CVE-2026-4088 is a stored cross-site scripting vulnerability in the Switch CTA Box WordPress plugin. The vulnerability occurs because the plugin's shortcode 'wppw_cta_box' directly outputs user-supplied post meta fields ('cta_box_button_link', 'cta_box_button_id', 'cta_box_button_text', and 'cta_box_description') into HTML without applying escaping functions such as esc_attr(), esc_url(), or esc_html(). This allows authenticated users with contributor or higher privileges to inject arbitrary JavaScript that executes in the context of any user viewing the page containing the shortcode. The CVSS 3.1 base score is 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, required privileges, no user interaction, scope change, and limited confidentiality and integrity impact.

An attacker with contributor-level or higher access can inject persistent malicious scripts into pages using the vulnerable shortcode. These scripts execute in the browsers of users who visit the affected pages, potentially leading to session hijacking, defacement, or other client-side attacks. The vulnerability does not affect availability. There are no known exploits in the wild at this time.

No official patch or remediation is currently available. Users should monitor the vendor's advisory channels for updates. As a temporary mitigation, restrict contributor-level access and above to trusted users only, and avoid using the 'wppw_cta_box' shortcode with untrusted content. Applying manual input sanitization or output escaping in the plugin code could mitigate the issue but requires development effort.