CVE-2026-3997

Name of the Vulnerable Software and Affected Versions WordPress Text Toggle plugin versions up to and including 1.1

Description The Text Toggle plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'title' shortcode attribute of the [tt part] and [tt] shortcodes. This is a result of inadequate input sanitization and output escaping of user-provided shortcode attributes. The avp texttoggle part shortcode() function extracts the 'title' attribute from shortcode attributes and directly incorporates it into HTML output without proper escaping, both within an HTML attribute context and as HTML content. The 'class' attribute is validated, but the 'title' attribute lacks any sanitization. An attacker can inject double-quote characters to escape the title attribute and inject arbitrary HTML attributes, including event handlers. Authenticated attackers with Contributor-level access or higher can inject malicious web scripts into pages, which will execute when a user accesses the affected page.

Recommendations WordPress Text Toggle plugin version 1.1: Update to a newer version that addresses this issue. WordPress Text Toggle plugin versions prior to 1.1: Update to a newer version that addresses this issue.