CVE-2026-4078

Name of the Vulnerable Software and Affected Versions ITERAS plugin for WordPress versions prior to 1.8.3

Description Stored Cross-Site Scripting is possible via multiple shortcodes: 'iteras-ordering', 'iteras-signup', 'iteras-paywall-login', and 'iteras-selfservice'. The issue stems from insufficient input sanitization and output escaping in the combine attributes() function, which concatenates shortcode attribute values into JavaScript code within <script> tags using double-quoted string interpolation. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript by including a double-quote character in a shortcode attribute value, allowing scripts to execute when a user visits the affected page.

Recommendations Update the plugin to a version later than 1.8.2. As a temporary workaround, restrict the use of the 'iteras-ordering', 'iteras-signup', 'iteras-paywall-login', and 'iteras-selfservice' shortcodes to trusted users only.