PT-2026-42393 · WordPress · Wpb Floating Menu & Categories
Barohaf - Fpt
·
Published
2026-05-21
·
Updated
2026-05-21
·
CVE-2026-4811
CVSS v3.1
4.9
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons versions prior to 1.0.9
Description
The plugin is subject to Stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server. This occurs due to insufficient input sanitization and output escaping in the 'Icon CSS Class' category field. Authenticated attackers with Editor-level access or higher can inject arbitrary web scripts that execute when a user visits the affected page.
Recommendations
Update the plugin to a version later than 1.0.8.
As a temporary workaround, restrict access to the 'Icon CSS Class' category field for users with Editor-level permissions until the update is applied.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wpb Floating Menu & Categories