CVE-2026-4811 is a stored cross-site scripting vulnerability (CWE-79) in the WPB Floating Menu or Categories – Sticky Floating Side Menu & Categories with Icons WordPress plugin. The issue exists in all versions up to and including 1.0.8 due to inadequate sanitization and escaping of the 'Icon CSS Class' category field. Authenticated users with Editor or higher privileges can inject arbitrary web scripts that execute when other users access the injected pages. The vulnerability has a CVSS 3.1 base score of 4.9 (medium severity), with network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, and high confidentiality impact but no integrity or availability impact. No vendor patch or official remediation is currently documented.

Successful exploitation allows an authenticated user with Editor-level or higher access to inject stored malicious scripts into pages via the 'Icon CSS Class' category field. These scripts execute in the context of other users viewing the affected pages, potentially leading to session hijacking, credential theft, or other confidentiality breaches. There is no impact on integrity or availability reported. The vulnerability requires elevated privileges (Editor or higher) and does not require user interaction to trigger the script execution.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Editor-level access to trusted users only and consider disabling or removing the vulnerable plugin if possible. Monitor for updates from the vendor (wpbean) regarding patches or official mitigations.