CVE-2026-4088

Name of the Vulnerable Software and Affected Versions Switch CTA Box versions prior to 1.2

Description The Switch CTA Box plugin for WordPress contains a Stored Cross-Site Scripting issue within the 'wppw cta box' shortcode. The problem arises from insufficient input sanitization and output escaping of user-supplied post meta values, specifically cta box button link, cta box button id, cta box button text, and cta box description. The shortcode retrieves post meta from a specified post ID and outputs these values directly into the HTML without using escaping functions. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts that execute when a user visits the affected page.

Recommendations Update the plugin to a version later than 1.1.