CVE-2026-4120

Name of the Vulnerable Software and Affected Versions Info Cards – Add Text and Media in Card Layouts plugin for WordPress versions up to and including 2.0.7

Description The Info Cards plugin for WordPress is susceptible to Stored Cross-Site Scripting through the btnUrl parameter within the Info Cards block. Insufficient input validation on URL schemes, specifically the lack of filtering for the javascript: protocol, allows attackers to inject malicious code. The render.php file passes attributes as JSON to the frontend, and the client-side view.js renders the btnUrl value directly as an href attribute without protocol sanitization. Authenticated attackers with Contributor-level access or higher can exploit this to execute arbitrary web scripts when a user clicks the rendered button link.

Recommendations Versions prior to and including 2.0.7 should be updated to a newer, fixed version when available.