CVE-2026-4006

Name of the Vulnerable Software and Affected Versions Simple Draft List plugin for WordPress versions up to and including 2.6.2

Description The Simple Draft List plugin for WordPress is susceptible to Stored Cross-Site Scripting through the display name post meta (Custom Field). This is a result of inadequate input sanitization and output escaping on the author display name when no author URL is available. The plugin retrieves $draft data->display name, which triggers WP Post:: get() and resolves to get post meta($post id, 'display name', true). When the user url meta field is empty, the $author value is assigned to $author link without any escaping. This unescaped value is then included in the shortcode output via str replace(). Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which will execute when a user accesses a page containing the [drafts] shortcode with the {{author+link}} template tag.

Recommendations Update the Simple Draft List plugin to a version beyond 2.6.2.