CVE-2026-4120 is a stored cross-site scripting vulnerability classified under CWE-79, found in the WordPress plugin 'Info Cards – Add Text and Media in Card Layouts' by bplugins. The vulnerability exists in all versions up to and including 2.0.7 due to improper input validation of the 'btnUrl' parameter within the Info Cards block. Specifically, the plugin fails to filter out dangerous URL schemes such as 'javascript:'. The plugin's render.php file encodes block attributes as JSON and passes them to the frontend via a data-attributes HTML attribute using esc_attr(wp_json_encode()), which prevents HTML attribute injection but does not sanitize URL protocols within the JSON data. On the client side, the view.js script renders the btnUrl value directly as the href attribute of anchor elements without any protocol validation or sanitization. This flaw allows authenticated users with Contributor-level permissions or higher to inject malicious javascript: URLs that execute arbitrary scripts when clicked by any user viewing the card. The vulnerability can lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the victim's browser session. The CVSS 3.1 base score is 6.4, indicating medium severity, with an attack vector over the network, low attack complexity, requiring privileges (Contributor or higher), no user interaction beyond clicking the link, and a scope change due to affecting other components. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date.

The impact of CVE-2026-4120 is significant for organizations using the vulnerable WordPress plugin, especially those allowing Contributor-level or higher users to create or edit content. Exploitation can lead to arbitrary script execution in the browsers of users who click the malicious links, potentially resulting in session hijacking, credential theft, unauthorized actions, or distribution of malware. Since the vulnerability requires authenticated access, insider threats or compromised accounts pose a risk. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the immediate plugin, potentially impacting the entire WordPress site and its users. Although availability is not affected, the confidentiality and integrity of user data and site content are at risk. Organizations with high traffic or sensitive data on WordPress sites using this plugin are particularly vulnerable to reputational damage and data breaches if exploited.

To mitigate CVE-2026-4120, organizations should first check for and apply any official patches or updates from the bplugins vendor once available. In the absence of patches, administrators can implement strict input validation and sanitization on the 'btnUrl' parameter, specifically filtering out dangerous URL schemes such as 'javascript:'. This can be done by customizing the plugin code or using WordPress hooks to sanitize URLs before rendering. Additionally, restricting Contributor-level users' ability to add or modify Info Cards blocks or limiting plugin usage to trusted users can reduce risk. Employing a Web Application Firewall (WAF) with rules to detect and block malicious javascript: URLs in user-generated content can provide a compensating control. Monitoring logs for unusual URL patterns and educating users about the risks of clicking untrusted links within the site can further reduce exploitation likelihood. Finally, regular security audits and vulnerability scanning of WordPress plugins are recommended to identify and remediate similar issues proactively.