CVE-2026-4084

Name of the Vulnerable Software and Affected Versions fyyd podcast shortcodes plugin for WordPress versions up to and including 0.3.1

Description The fyyd podcast shortcodes plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'fyyd-podcast', 'fyyd-episode', and 'fyyd' shortcodes. This occurs because of inadequate input sanitization and output escaping of user-provided shortcode attributes, specifically 'color', 'podcast id', and 'podcast slug'. These attributes are directly incorporated into inline JavaScript within single-quoted string arguments without proper escaping or sanitization, enabling an attacker to disrupt the JavaScript string context. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which will execute when a user views the affected page.

Recommendations Update the fyyd podcast shortcodes plugin to a version beyond 0.3.1.