{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4022", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-11T20:18:12.165Z", "datePublished": "2026-03-21T03:27:13.613Z", "dateUpdated": "2026-03-23T17:46:06.919Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-21T03:27:13.613Z"}, "affected": [{"vendor": "creativedev4", "product": "Show Posts list \u2013 Easy designs, filters and more", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Show Posts list \u2013 Easy designs, filters and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_type' shortcode attribute in the 'swiftpost-list' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Show Posts list <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc6634bc-4427-44b6-bf77-d97d5b49e82f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L119"}, {"url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L119"}, {"url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L43"}, {"url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L43"}, {"url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L21"}, {"url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L21"}, {"url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L103"}, {"url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L103"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "timeline": [{"time": "2026-03-20T15:06:09.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T17:45:54.099296Z", "id": "CVE-2026-4022", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:46:06.919Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4022", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T17:45:54.099296Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:45:58.658Z"}}], "cna": {"title": "Show Posts list <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "zakaria"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "creativedev4", "product": "Show Posts list \u2013 Easy designs, filters and more", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:06:09.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc6634bc-4427-44b6-bf77-d97d5b49e82f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L119"}, {"url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L119"}, {"url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L43"}, {"url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L43"}, {"url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L21"}, {"url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L21"}, {"url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L103"}, {"url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L103"}], "descriptions": [{"lang": "en", "value": "The Show Posts list \u2013 Easy designs, filters and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_type' shortcode attribute in the 'swiftpost-list' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-21T03:27:13.613Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4022", "state": "PUBLISHED", "dateUpdated": "2026-03-23T17:46:06.919Z", "dateReserved": "2026-03-11T20:18:12.165Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:27:13.613Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Show Posts list \u2013 Easy designs, filters and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_type' shortcode attribute in the 'swiftpost-list' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4022", "lastModified": "2026-03-23T14:32:02.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-21T04:17:39.853", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L103"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L119"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L21"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L43"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L103"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L119"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L21"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L43"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc6634bc-4427-44b6-bf77-d97d5b49e82f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Show Posts list \u2013 Easy designs, filters and more", "source": "cna", "vendor": "creativedev4"}, "product": "show_posts_list_\u2013_easy_designs,_filters_and_more", "vendor": "creativedev4"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T07:09:19.369192+00:00", "value": {"mitigation_remediation": ["Upgrade the Show Posts list plugin to the latest available version, which removes the vulnerable handling of the post_type attribute.", "If an immediate upgrade is not possible, revoke contributor or higher privileges for users who do not need them or adjust role capabilities to restrict shortcode usage.", "Delete or replace all instances of the swiftpost\u2011list shortcode in existing content until a patched version is installed.", "Regularly monitor the plugin\u2019s update releases and apply security fixes as soon as they become available."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The Show Posts list \u2013 Easy designs, filters and more plugin by creativedev4 is affected in all releases up to and including 1.1.0. Users with contributor-level or higher access can exploit the shortcode to inject the payload.", "description_and_impact": "The flaw permits an authenticated user with contributor or higher privileges to insert arbitrary scripts via the \u2018post_type\u2019 attribute in the \u2018swiftpost\u2011list\u2019 shortcode. Because the plugin sanitizes and escapes this attribute incorrectly, the injected code is stored and later rendered in browsers of any visitor to the affected page, enabling phishing, credential theft, or other malicious activity.", "risk_and_exploitability": "The CVSS score of 6.4 marks this issue as moderate severity. No EPSS entry and absence from the CISA KEV catalog suggest that exploitation has not been widely observed yet, but the stored nature of the XSS means every page view by an ordinary user triggers the malicious code. Attackers must first authenticate with at least contributor rights, limiting but not eliminating the threat. Once a valid injected payload is present, it can execute in the browser context of all visitors to the compromised content."}}}}, "created": "2026-03-23T09:49:42.634192+00:00", "updated": "2026-03-25T14:41:20.794671+00:00", "vendors": ["creativedev4", "creativedev4$PRODUCT$show_posts_list_\u2013_easy_designs,_filters_and_more", "wordpress", "wordpress$PRODUCT$wordpress"]}