Severity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
The General Options plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.1.0. This is due to the use of sanitize_text_field() for output escaping in the Contact Number (ad_contact_number) field - a function that strips HTML tags but does not encode double-quote characters to their HTML entity equivalent ("). When the stored value is echoed inside a double-quoted HTML attribute (value="..."), an attacker-supplied double-quote character breaks out of the attribute context. Even with WordPress's wp_magic_quotes mechanism (which prefixes quotes with a backslash), the resulting \" sequence is NOT treated as an escaped quote by HTML parsers - the backslash is rendered as a literal character and the bare double-quote still closes the attribute. This makes it possible for authenticated attackers with Administrator-level access and above to inject arbitrary web scripts in the admin settings page that will execute whenever any administrator visits the General Options settings page.
AnalysisAI
Stored Cross-Site Scripting in the General Options WordPress plugin (versions up to and including 1.1.0) allows authenticated attackers holding Administrator-level privileges to persist malicious JavaScript in the Contact Number settings field, which executes in the browser of any administrator who subsequently visits the plugin's settings page. The flaw is rooted in the misapplication of sanitize_text_field() for output escaping - a function that strips HTML tags but does not encode double-quote characters, enabling attribute context breakout when the stored value is echoed inside a double-quoted HTML attribute. WordPress's wp_magic_quotes backslash-prefixing mechanism provides no protection here because HTML parsers treat the backslash as a literal character rather than an escape sequence. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.
Technical ContextAI
The affected product is the General Options WordPress plugin authored by yog2515 (CPE: cpe:2.3:a:yog2515:general_options:*:*:*:*:*:*:*:*), versions up to and including 1.1.0. The vulnerability class is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting), specifically the Stored variant. The root cause is a developer error in output encoding strategy: WordPress provides two related but distinct sanitization functions - sanitize_text_field() for input sanitization (strips HTML tags, removes extra whitespace) and esc_attr() or esc_html() for output encoding (converts characters including double-quotes to HTML entities). The plugin incorrectly uses the former as a substitute for the latter when rendering the ad_contact_number field value inside a double-quoted HTML attribute (value="..."). An attacker-supplied double-quote in the stored value is never converted to ", so it terminates the attribute context in the rendered HTML. The WordPress wp_magic_quotes mechanism, which adds a backslash before stored quotes, does not remediate this because HTML parsers have no concept of backslash-escaping - the backslash renders as a literal character while the bare double-quote still closes the attribute. Source code evidence is available via WordPress Plugin Trac at direct-main.php and direct-action.php in the 1.1.0 tag.
RemediationAI
No patched version has been identified in the available data - upgrade guidance cannot be confirmed from current references. Administrators running the General Options plugin (yog2515) version 1.1.0 or earlier should consider deactivating and removing the plugin until a patched version is released, as this eliminates the vulnerable attack surface entirely with no functional trade-off if the plugin's features are non-critical. If the plugin cannot be removed, restrict WordPress Administrator account access to the minimum required set of trusted users and enforce strong credential policies (MFA) to reduce the population of accounts that could be used to exploit the flaw. Monitor the plugin's WordPress.org repository and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/d29c69bb-4feb-477e-b18f-934ece21aff6 for patch availability. The underlying fix in plugin code would require replacing sanitize_text_field() with esc_attr() (or equivalent HTML-entity-encoding function) when outputting the ad_contact_number value inside the HTML attribute context in direct-main.php.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31040
GHSA-3hhp-2p2q-gg5w