CVE-2026-7661

The Bootstrap Shortcode plugin for WordPress (versions up to and including 1.0) contains a stored cross-site scripting (XSS) vulnerability in its box shortcode. The root cause is insufficient input sanitization and output escaping on user-supplied attributes, allowing malicious HTML or JavaScript to be stored in the database.

To exploit this vulnerability, an attacker must have at least Contributor-level access to the WordPress site. The attacker can then craft a post or page using the box shortcode with a malicious attribute value. When any user (including administrators) views the compromised page, the injected script executes in their browser.

Successful exploitation enables the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, or defacing the site. The impact is limited to authenticated users with contributor privileges, but the stored nature means the payload persists until removed.

The plugin has been closed as of May 6, 2026, pending a full review [1]. Users should remove or replace the plugin immediately. No patched version is available, and the only mitigation is to disable or delete the plugin.