PT-2026-42393 · WordPress · Wpb Floating Menu & Categories

Barohaf - Fpt

·

Published

2026-05-21

·

Updated

2026-05-21

·

CVE-2026-4811

CVSS v3.1

4.9

Medium

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons versions prior to 1.0.9
Description The plugin is subject to Stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server. This occurs due to insufficient input sanitization and output escaping in the 'Icon CSS Class' category field. Authenticated attackers with Editor-level access or higher can inject arbitrary web scripts that execute when a user visits the affected page.
Recommendations Update the plugin to a version later than 1.0.8. As a temporary workaround, restrict access to the 'Icon CSS Class' category field for users with Editor-level permissions until the update is applied.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-4811

Affected Products

Wpb Floating Menu & Categories