CVE-2026-4067

Name of the Vulnerable Software and Affected Versions Ad Short versions prior to 2.0.2

Description The Ad Short plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'client' attribute of the 'ad' shortcode. Insufficient input sanitization and output escaping on the 'client' shortcode attribute allows for the injection of arbitrary web scripts. The ad func() shortcode handler, specifically at line 71, uses shortcode atts() to accept the 'client' attribute and directly incorporates it into a double-quoted HTML attribute (data-ad-client) at line 130 without proper sanitization using esc attr() or similar methods. This enables authenticated attackers with Contributor-level access or higher to inject malicious scripts into pages, which will then execute when a user accesses those pages.

Recommendations Update the Ad Short plugin to version 2.0.2 or later.