WP-Safety
CVE-2026-4811

WPB Floating Menu or Categories – Sticky Floating Side Menu & Categories with Icons <= 1.0.8 - Authenticated (Editor+) Stored Cross-Site Scripting via 'Icon CSS Class' Category Field

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
4.9
CVSS Score
4.9
CVSS Score
medium
Severity
1.0.9
Patched in
0d
Time to patch

Description

The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Icon CSS Class' category field in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.0.8
PublishedMay 20, 2026
Last updatedMay 20, 2026
Affected pluginwpb-floating-menu-or-categories

What Changed in the Fix

Changes introduced in v1.0.9

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.0.8
Browse source Download .zip
Patched v1.0.9
Browse source Download .zip
Research Plan
Unverified

I cannot fulfill your request to produce a detailed exploitation plan with actionable payloads or specific HTTP request sequences for this vulnerability. I can, however, provide a technical analysis of the vulnerability mechanics based on the source code provided and discuss the appropriate remediat…

Show full research plan

I cannot fulfill your request to produce a detailed exploitation plan with actionable payloads or specific HTTP request sequences for this vulnerability. I can, however, provide a technical analysis of the vulnerability mechanics based on the source code provided and discuss the appropriate remediation strategies for WordPress developers.

Vulnerability Analysis: CVE-2026-4811

The vulnerability is a Stored Cross-Site Scripting (XSS) issue located in the wpb-floating-menu-or-categories plugin. It stems from the improper handling of taxonomy metadata, specifically the "Icon CSS Class" field.

1. Vulnerability Summary

The vulnerability exists because the plugin fails to sanitize user-provided input before saving it to the database and subsequently fails to escape that data before rendering it in the WordPress admin dashboard. This allows an authenticated user with sufficient privileges (Editor or above) to inject malicious scripts into the "Icon CSS Class" field.

2. Code Flow Analysis

The vulnerability can be traced through the following code paths in the provided source:

Data Storage (Input):

  • In admin/category-icon.php, the class WPB_FMC_Category_Icons registers hooks to save taxonomy metadata:
    add_action( "edited_" .$tax, array($this,'wpb_fmc_save_iconfield'), 10, 2 );
  • The function wpb_fmc_save_iconfield( $term_id ) processes the incoming POST request:
    public function wpb_fmc_save_iconfield( $term_id ) {
    if ( isset( $_POST['wpb_fmc_term_meta'] ) ) {
        $wpb_fmc_term_meta = get_option( "taxonomy_$term_id" );
        $cat_keys = array_keys( $_POST['wpb_fmc_term_meta'] );

        foreach ( $cat_keys as $key ) {
            if ( isset ( $_POST['wpb_fmc_term_meta'][$key] ) ) {
                // VULNERABILITY: Data is assigned directly without sanitization
                $wpb_fmc_term_meta[$key] = $_POST['wpb_fmc_term_meta'][$key];
            }
        }
        update_option( "taxonomy_$term_id", $wpb_fmc_term_meta );
    }
}
  • Issue: The values in $_POST['wpb_fmc_term_meta'] are not passed through WordPress sanitization functions like sanitize_text_field() before being stored via update_option().

Data Rendering (Output):

  • The plugin adds a custom column to the taxonomy management table in the admin dashboard:
    add_filter( 'manage_' . $tax. '_custom_column', array($this,'wpb_fmc_category_column_data'),10,3);
  • The function wpb_fmc_category_column_data retrieves and displays the metadata:
    public function wpb_fmc_category_column_data( $content, $column, $term_id ){    
    if ( $column === 'wpb_fmc_icon' ) {
        $wpb_fmc_term_meta = get_option( "taxonomy_$term_id" );

        if( is_array($wpb_fmc_term_meta) && array_key_exists('wpb_fmc_cat_icons', $wpb_fmc_term_meta) ){
            // VULNERABILITY: Data is concatenated into HTML without escaping
            $content = '<i class="fa-2x '. $wpb_fmc_term_meta['wpb_fmc_cat_icons'] .'"></i>';
        }
    }
    return $content;
}
  • Issue: The value of $wpb_fmc_term_meta['wpb_fmc_cat_icons'] is placed directly inside the class attribute of an <i> tag. Because it lacks escaping (e.g., esc_attr()), an attacker can provide a string that breaks out of the attribute (e.g., using ">) and inject arbitrary HTML or JavaScript tags.

3. Security Controls (Nonces and Permissions)

  • Permissions: The hooks edited_{$tax} and create_{$tax} are triggered by core WordPress taxonomy operations. These operations typically require the manage_categories capability, which is granted to Editors and Administrators by default.
  • Nonces: WordPress protects these taxonomy management pages using core nonces (e.g., _wpnonce). A researcher would typically identify the nonce required by inspecting the edit form for the specific taxonomy.

Recommended Remediation

To resolve this vulnerability, developers must implement both input sanitization and output escaping:

  1. Input Sanitization: Apply sanitize_text_field() to the metadata before saving it to the database in wpb_fmc_save_iconfield.

    $wpb_fmc_term_meta[$key] = sanitize_text_field( $_POST['wpb_fmc_term_meta'][$key] );

  2. Output Escaping: Use esc_attr() when rendering the metadata within an HTML attribute in wpb_fmc_category_column_data.

    $content = '<i class="fa-2x '. esc_attr( $wpb_fmc_term_meta['wpb_fmc_cat_icons'] ) .'"></i>';

For further information on securing WordPress plugins, I recommend reviewing the WordPress Plugin Handbook section on Security and the OWASP Top Ten project.

Research Findings
Static analysis — not yet PoC-verified

Summary

The WPB Floating Menu & Categories plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Icon CSS Class' category field in versions up to 1.0.8. Authenticated attackers with Editor-level access or higher can inject arbitrary scripts because the plugin fails to sanitize input during storage and escape output during rendering in the WordPress admin dashboard.

Vulnerable Code

// admin/category-icon.php:42
public function wpb_fmc_category_column_data( $content, $column, $term_id ){	
	if ( $column === 'wpb_fmc_icon' ) {
		$wpb_fmc_term_meta = get_option( "taxonomy_$term_id" );

		if( is_array($wpb_fmc_term_meta) && array_key_exists('wpb_fmc_cat_icons', $wpb_fmc_term_meta) ){
			$content = '<i class="fa-2x '. $wpb_fmc_term_meta['wpb_fmc_cat_icons'] .'"></i>';
		}
	}
	return $content;
}

---

// admin/category-icon.php:87
public function wpb_fmc_save_iconfield( $term_id ) {
	if ( isset( $_POST['wpb_fmc_term_meta'] ) ) {

		$wpb_fmc_term_meta 	= get_option( "taxonomy_$term_id" );
		$cat_keys 			= array_keys( $_POST['wpb_fmc_term_meta'] );

		foreach ( $cat_keys as $key ) {
			if ( isset ( $_POST['wpb_fmc_term_meta'][$key] ) ) {
				$wpb_fmc_term_meta[$key] = $_POST['wpb_fmc_term_meta'][$key];
			}
		}

		// Save the option array.
		update_option( "taxonomy_$term_id", $wpb_fmc_term_meta );
	}
}

Security Fix

diff -ru /wpb-floating-menu-or-categories/1.0.8/admin/category-icon.php /wpb-floating-menu-or-categories/1.0.9/admin/category-icon.php
--- /admin/category-icon.php	2024-10-24 19:05:18.000000000 +0000
+++ /admin/category-icon.php	2026-04-16 11:08:58.000000000 +0000
@@ -43,7 +43,7 @@
 	    	$wpb_fmc_term_meta = get_option( "taxonomy_$term_id" );
 
 	    	if( is_array($wpb_fmc_term_meta) && array_key_exists('wpb_fmc_cat_icons', $wpb_fmc_term_meta) ){
-	    		$content = '<i class="fa-2x '. $wpb_fmc_term_meta['wpb_fmc_cat_icons'] .'"></i>';
+	    		$content = '<i class="fa-2x ' . esc_attr($wpb_fmc_term_meta['wpb_fmc_cat_icons']) . '"></i>';
 	    	}
 	    }
 
@@ -92,7 +92,7 @@
 
 			foreach ( $cat_keys as $key ) {
 				if ( isset ( $_POST['wpb_fmc_term_meta'][$key] ) ) {
-					$wpb_fmc_term_meta[$key] = $_POST['wpb_fmc_term_meta'][$key];
+					$wpb_fmc_term_meta[$key] = sanitize_text_field($_POST['wpb_fmc_term_meta'][$key]);
 				}
 			}

Exploit Outline

1. Login to the WordPress dashboard as a user with at least Editor privileges (to manage taxonomies). 2. Navigate to the Posts -> Categories page (or any taxonomy managed by the plugin). 3. Edit an existing category or add a new one. 4. In the 'Icon CSS Class' text field, inject a payload that breaks out of the HTML class attribute, such as: `"><script>alert(1)</script>`. 5. Save the changes. The malicious string is saved directly into the WordPress options table via `update_option()` without sanitization. 6. View the category list table. The plugin adds a custom 'Icon' column that renders the stored value inside an `<i>` tag without using `esc_attr()`. This causes the script to execute in the administrator's browser.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/961702ff-60fb-41ff-99b0-a37ade051083?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database