WP-Safety
CVE-2026-0557

WP Data Access <= 5.5.63 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpda_app' Shortcode

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
5.5.64
Patched in
1d
Time to patch

Description

The WP Data Access plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpda_app' shortcode in all versions up to, and including, 5.5.63 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.5.63
PublishedFebruary 13, 2026
Last updatedFebruary 14, 2026
Affected pluginwp-data-access

What Changed in the Fix

Changes introduced in v5.5.64

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v5.5.63
Browse source Download .zip
Patched v5.5.64
Browse source Download .zip
Research Plan
Unverified

# Vulnerability Research Plan: CVE-2026-0557 (WP Data Access Stored XSS) ## 1. Vulnerability Summary The **WP Data Access** plugin (versions <= 5.5.63) is vulnerable to **Stored Cross-Site Scripting (XSS)** through the `[wpda_app]` shortcode. The vulnerability exists in the way the plugin handles u…

Show full research plan

Vulnerability Research Plan: CVE-2026-0557 (WP Data Access Stored XSS)

1. Vulnerability Summary

The WP Data Access plugin (versions <= 5.5.63) is vulnerable to Stored Cross-Site Scripting (XSS) through the [wpda_app] shortcode. The vulnerability exists in the way the plugin handles user-supplied shortcode attributes. Specifically, in WPDataAccess/Data_Apps/WPDA_App_Container.php, arbitrary attributes passed to the shortcode are collected into an array and then echoed directly into HTML data- attributes using implode without being passed through escaping functions like esc_attr(). This allows an attacker with Contributor-level permissions (who can use shortcodes) to break out of the HTML attribute and inject malicious <script> tags.

2. Attack Vector Analysis

  • Endpoint: WordPress Post/Page rendering containing the [wpda_app] shortcode.
  • Vulnerable Parameter: Any arbitrary attribute added to the [wpda_app] shortcode (other than the reserved id attribute).
  • Authentication: Authenticated (Contributor-level or higher).
  • Preconditions: A valid "App" must exist in the plugin's database to satisfy the id requirement, or one must be created.
  • Vulnerability Type: Stored XSS via HTML Attribute Breakout.

3

Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Data Access plugin is vulnerable to Stored Cross-Site Scripting via its 'wpda_app' shortcode due to insufficient output escaping of user-provided shortcode attributes. Authenticated attackers with Contributor-level access or higher can inject malicious scripts into pages by breaking out of HTML data-attributes, which execute whenever a user views the compromised page.

Vulnerable Code

// WPDataAccess/Data_Apps/WPDA_App_Container.php lines 149-156
					if ( 0 < count( $this->shortcode_args ) ) {
						?>
						data-shortcode_field_name="<?php echo implode( ',', array_keys( $this->shortcode_args ) ); ?>"
						data-shortcode_field_value="<?php echo implode( ',', array_values( $this->shortcode_args ) ); ?>"
						<?php
					}

Security Fix

--- a/WPDataAccess/Data_Apps/WPDA_App_Container.php
+++ b/WPDataAccess/Data_Apps/WPDA_App_Container.php
@@ -151,2 +151,2 @@
-						data-shortcode_field_name="<?php echo implode( ',', array_keys( $this->shortcode_args ) ); ?>"
-						data-shortcode_field_value="<?php echo implode( ',', array_values( $this->shortcode_args ) ); ?>"
+						data-shortcode_field_name="<?php echo esc_attr( implode( ',', array_keys( $this->shortcode_args ) ) ); ?>"
+						data-shortcode_field_value="<?php echo esc_attr( implode( ',', array_values( $this->shortcode_args ) ) ); ?>"

Exploit Outline

The attacker requires Contributor-level permissions or higher to use WordPress shortcodes. They identify a valid App ID (or create one using the plugin's App Builder) and then insert a `[wpda_app]` shortcode into a post or page. By including an arbitrary attribute containing double quotes and an event handler (e.g., `[wpda_app id='1' x='" onmouseover="alert(1)"']`), the attacker can break out of the `data-shortcode_field_value` attribute in the rendered HTML. When an administrator or visitor interacts with the page (e.g., hovering over the app container), the injected JavaScript executes in their browser context.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/97ddb0e9-1bb8-48ed-9fa3-d2b5f260263b?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database