CVE-2026-4082

Name of the Vulnerable Software and Affected Versions ER Swiffy Insert versions prior to 1.0.1

Description The ER Swiffy Insert plugin for WordPress contains a Stored Cross-Site Scripting issue via the '[swiffy]' shortcode. The problem arises from insufficient input sanitization and output escaping of user-supplied shortcode attributes n, w, and h. These attributes are processed using the extract() function and interpolated into the HTML output without proper escaping, such as esc attr(). Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page.

Recommendations Update to a version later than 1.0.0. As a temporary workaround, restrict the use of the n, w, and h attributes within the '[swiffy]' shortcode.