CVE-2026-4089 is a stored cross-site scripting vulnerability in the Twittee Text Tweet WordPress plugin (versions up to 1.0.8). The issue stems from insufficient input sanitization and output escaping of shortcode attributes, particularly the 'id' attribute, which is inserted into an HTML id attribute without esc_attr() escaping. Additional shortcode attributes are injected into inline JavaScript without escaping. The plugin's ttt_twittee_tweeter() function uses extract() to convert shortcode attributes into local variables and concatenates them directly into HTML output, enabling authenticated attackers with Contributor-level privileges or higher to inject arbitrary JavaScript that executes when users view the compromised page.

An attacker with Contributor-level or higher access can exploit this vulnerability to inject persistent malicious scripts into pages using the vulnerable shortcode. This can lead to cross-site scripting attacks affecting any user who views the injected content, potentially resulting in session hijacking, unauthorized actions, or other client-side impacts. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges at the contributor level, no user interaction, and partial confidentiality and integrity impacts without availability impact.

No official patch or remediation is currently available for this vulnerability. Users should monitor the vendor's advisory channels for updates. Until a fix is released, restrict Contributor-level access to trusted users only and consider disabling or removing the Twittee Text Tweet plugin to prevent exploitation. Avoid using the vulnerable shortcode attributes in content. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.