{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4084", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-12T20:48:55.644Z", "datePublished": "2026-03-21T03:26:41.913Z", "dateUpdated": "2026-03-23T17:23:43.524Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-21T03:26:41.913Z"}, "affected": [{"vendor": "cbednarek", "product": "fyyd podcast shortcodes", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "0.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fyyd-podcast', 'fyyd-episode', and 'fyyd' shortcodes in all versions up to, and including, 0.3.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'color', 'podcast_id', and 'podcast_slug'. These attributes are directly concatenated into inline JavaScript within single-quoted string arguments without any escaping or sanitization, allowing an attacker to break out of the JavaScript string context. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "fyyd podcast shortcodes <= 0.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f9d57ae-b238-43db-8eee-ccab499b1cbc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/trunk/fyyd-podcast-shortcodes.php#L65"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/tags/0.3.1/fyyd-podcast-shortcodes.php#L65"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/trunk/fyyd-podcast-shortcodes.php#L48"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/tags/0.3.1/fyyd-podcast-shortcodes.php#L48"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/trunk/fyyd-podcast-shortcodes.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/tags/0.3.1/fyyd-podcast-shortcodes.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/trunk/fyyd-podcast-shortcodes.php#L100"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/tags/0.3.1/fyyd-podcast-shortcodes.php#L100"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/trunk/fyyd-podcast-shortcodes.php#L224"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/tags/0.3.1/fyyd-podcast-shortcodes.php#L224"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/trunk/fyyd-podcast-shortcodes.php#L141"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/tags/0.3.1/fyyd-podcast-shortcodes.php#L141"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-03-20T15:06:48.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T17:23:28.606505Z", "id": "CVE-2026-4084", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:23:43.524Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4084", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T17:23:28.606505Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:23:36.136Z"}}], "cna": {"title": "fyyd podcast shortcodes <= 0.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "cbednarek", "product": "fyyd podcast shortcodes", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "0.3.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:06:48.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f9d57ae-b238-43db-8eee-ccab499b1cbc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/trunk/fyyd-podcast-shortcodes.php#L65"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/tags/0.3.1/fyyd-podcast-shortcodes.php#L65"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/trunk/fyyd-podcast-shortcodes.php#L48"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/tags/0.3.1/fyyd-podcast-shortcodes.php#L48"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/trunk/fyyd-podcast-shortcodes.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/tags/0.3.1/fyyd-podcast-shortcodes.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/trunk/fyyd-podcast-shortcodes.php#L100"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/tags/0.3.1/fyyd-podcast-shortcodes.php#L100"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/trunk/fyyd-podcast-shortcodes.php#L224"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/tags/0.3.1/fyyd-podcast-shortcodes.php#L224"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/trunk/fyyd-podcast-shortcodes.php#L141"}, {"url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/tags/0.3.1/fyyd-podcast-shortcodes.php#L141"}], "descriptions": [{"lang": "en", "value": "The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fyyd-podcast', 'fyyd-episode', and 'fyyd' shortcodes in all versions up to, and including, 0.3.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'color', 'podcast_id', and 'podcast_slug'. These attributes are directly concatenated into inline JavaScript within single-quoted string arguments without any escaping or sanitization, allowing an attacker to break out of the JavaScript string context. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-21T03:26:41.913Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4084", "state": "PUBLISHED", "dateUpdated": "2026-03-23T17:23:43.524Z", "dateReserved": "2026-03-12T20:48:55.644Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:41.913Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fyyd-podcast', 'fyyd-episode', and 'fyyd' shortcodes in all versions up to, and including, 0.3.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'color', 'podcast_id', and 'podcast_slug'. These attributes are directly concatenated into inline JavaScript within single-quoted string arguments without any escaping or sanitization, allowing an attacker to break out of the JavaScript string context. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4084", "lastModified": "2026-03-23T14:32:02.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-21T04:17:40.810", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/tags/0.3.1/fyyd-podcast-shortcodes.php#L100"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/tags/0.3.1/fyyd-podcast-shortcodes.php#L141"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/tags/0.3.1/fyyd-podcast-shortcodes.php#L224"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/tags/0.3.1/fyyd-podcast-shortcodes.php#L48"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/tags/0.3.1/fyyd-podcast-shortcodes.php#L60"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/tags/0.3.1/fyyd-podcast-shortcodes.php#L65"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/trunk/fyyd-podcast-shortcodes.php#L100"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/trunk/fyyd-podcast-shortcodes.php#L141"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/trunk/fyyd-podcast-shortcodes.php#L224"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/trunk/fyyd-podcast-shortcodes.php#L48"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/trunk/fyyd-podcast-shortcodes.php#L60"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fyyd-podcast-shortcodes/trunk/fyyd-podcast-shortcodes.php#L65"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f9d57ae-b238-43db-8eee-ccab499b1cbc?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.3.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "fyyd podcast shortcodes", "source": "cna", "vendor": "cbednarek"}, "product": "fyyd_podcast_shortcodes", "vendor": "cbednarek"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T07:37:46.502882+00:00", "value": {"mitigation_remediation": ["Update the fyyd podcast shortcodes plugin to the newest release (0.3.2 or later).", "If a newer version is unavailable, deactivate or remove the plugin to prevent further exploitation.", "Limit Contributor permissions or enforce strict content review before allowing users to add shortcodes with user\u2011supplied attributes."], "summary": {"action": "Patch", "impact": "Script Injection via Stored XSS"}, "threat_synthesis": {"affected_systems": "All WordPress sites running the cbednarek fyyd podcast shortcodes plugin, version 0.3.1 or earlier, are vulnerable. The flaw applies to the 'fyyd\u2011podcast', 'fyyd\u2011episode', and 'fyyd' shortcodes that expose the vulnerable attributes.", "description_and_impact": "The fyyd podcast shortcodes plugin for WordPress contains a Stored XSS vulnerability, classified as CWE\u201179. The plugin concatenates user\u2011supplied values from shortcode attributes\u2014such as 'color', 'podcast_id', and 'podcast_slug'\u2014directly into inline JavaScript without sanitization or escaping, allowing an attacker to break out of the string context and inject arbitrary script. When the malicious code is stored in a post or page, it executes automatically whenever any user views that content, providing a vector for session hijacking, credential theft, or further site compromise.", "risk_and_exploitability": "The flaw carries a medium CVSS score of 6.4, with no EPSS data available and it is absent from the CISA KEV catalog. Exploitation requires an authenticated user with Contributor-level or higher access and the ability to insert a malformed 'color' attribute into a shortcode. Once stored, the injected script runs for any visitor to the affected page, offering attackers a persistent and widespread attack surface."}}}}, "created": "2026-03-23T09:50:47.686754+00:00", "updated": "2026-03-25T14:42:21.564463+00:00", "vendors": ["cbednarek", "cbednarek$PRODUCT$fyyd_podcast_shortcodes", "wordpress", "wordpress$PRODUCT$wordpress"]}