Skip to main content

General Options EUVDEUVD-2026-31040

| CVE-2026-6399 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-20 Wordfence GHSA-3hhp-2p2q-gg5w
4.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 02:35 vuln.today

DescriptionCVE.org

The General Options plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.1.0. This is due to the use of sanitize_text_field() for output escaping in the Contact Number (ad_contact_number) field - a function that strips HTML tags but does not encode double-quote characters to their HTML entity equivalent ("). When the stored value is echoed inside a double-quoted HTML attribute (value="..."), an attacker-supplied double-quote character breaks out of the attribute context. Even with WordPress's wp_magic_quotes mechanism (which prefixes quotes with a backslash), the resulting \" sequence is NOT treated as an escaped quote by HTML parsers - the backslash is rendered as a literal character and the bare double-quote still closes the attribute. This makes it possible for authenticated attackers with Administrator-level access and above to inject arbitrary web scripts in the admin settings page that will execute whenever any administrator visits the General Options settings page.

AnalysisAI

Stored Cross-Site Scripting in the General Options WordPress plugin (versions up to and including 1.1.0) allows authenticated attackers holding Administrator-level privileges to persist malicious JavaScript in the Contact Number settings field, which executes in the browser of any administrator who subsequently visits the plugin's settings page. The flaw is rooted in the misapplication of sanitize_text_field() for output escaping - a function that strips HTML tags but does not encode double-quote characters, enabling attribute context breakout when the stored value is echoed inside a double-quoted HTML attribute. WordPress's wp_magic_quotes backslash-prefixing mechanism provides no protection here because HTML parsers treat the backslash as a literal character rather than an escape sequence. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Technical ContextAI

The affected product is the General Options WordPress plugin authored by yog2515 (CPE: cpe:2.3:a:yog2515:general_options:*:*:*:*:*:*:*:*), versions up to and including 1.1.0. The vulnerability class is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting), specifically the Stored variant. The root cause is a developer error in output encoding strategy: WordPress provides two related but distinct sanitization functions - sanitize_text_field() for input sanitization (strips HTML tags, removes extra whitespace) and esc_attr() or esc_html() for output encoding (converts characters including double-quotes to HTML entities). The plugin incorrectly uses the former as a substitute for the latter when rendering the ad_contact_number field value inside a double-quoted HTML attribute (value="..."). An attacker-supplied double-quote in the stored value is never converted to ", so it terminates the attribute context in the rendered HTML. The WordPress wp_magic_quotes mechanism, which adds a backslash before stored quotes, does not remediate this because HTML parsers have no concept of backslash-escaping - the backslash renders as a literal character while the bare double-quote still closes the attribute. Source code evidence is available via WordPress Plugin Trac at direct-main.php and direct-action.php in the 1.1.0 tag.

RemediationAI

No patched version has been identified in the available data - upgrade guidance cannot be confirmed from current references. Administrators running the General Options plugin (yog2515) version 1.1.0 or earlier should consider deactivating and removing the plugin until a patched version is released, as this eliminates the vulnerable attack surface entirely with no functional trade-off if the plugin's features are non-critical. If the plugin cannot be removed, restrict WordPress Administrator account access to the minimum required set of trusted users and enforce strong credential policies (MFA) to reduce the population of accounts that could be used to exploit the flaw. Monitor the plugin's WordPress.org repository and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/d29c69bb-4feb-477e-b18f-934ece21aff6 for patch availability. The underlying fix in plugin code would require replacing sanitize_text_field() with esc_attr() (or equivalent HTML-entity-encoding function) when outputting the ad_contact_number value inside the HTML attribute context in direct-main.php.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-31040 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy