CVE-2026-3996

Name of the Vulnerable Software and Affected Versions WP Games Embed plugin for WordPress versions up to and including 0.1beta

Description The WP Games Embed plugin for WordPress is susceptible to Stored Cross-Site Scripting through the [game] shortcode. Insufficient input sanitization and output escaping of user-supplied shortcode attributes – width, height, src, title, description, game url, main, and thumb – allows for the injection of arbitrary web scripts. These attributes are directly concatenated into HTML output without proper escaping. Authenticated attackers with Contributor-level access or higher can inject malicious scripts into pages, which will then execute when a user accesses those pages.

Recommendations Update the WP Games Embed plugin to a version beyond 0.1beta.