CVE-2026-3554

CVSS v3.1

6.4

Medium

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

The Sherk Custom Post Type Displays plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the 'title' attribute of the 'sherkcptdisplays' shortcode. Specifically, in the sherkcptdisplays func() function in includes/SherkCPTDisplaysShortcode.php, the 'title' attribute value is extracted from shortcode atts() on line 19 and directly concatenated into an HTML

tag on line 31 without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2026-3554

Affected Products

Sherk Custom Post Type Displays

CVE-2026-3554

tag on line 31 without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Weakness Enumeration

Related Identifiers

Affected Products

References · 6