CVE-2026-10024: TinyMCE Shortcode Addon Stored XSS Vulnerability
The TinyMCE shortcode Addon plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting all versions through 1.0.0. An authenticated user with contributor-level permissions or higher can inject malicious JavaScript code into pages via the 'btnrel' shortcode attribute. Because the plugin fails to properly sanitize and escape this input, the injected script will execute in the browsers of anyone who views the affected page. This is a *stored* vulnerability, meaning the malicious code persists in the page content until explicitly removed.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient input validation and output escaping of the 'btnrel' shortcode attribute in the TinyMCE shortcode Addon. When a contributor or administrator uses the shortcode with a crafted 'btnrel' value, the plugin accepts and stores unsanitized content in the database. On page render, this content is output to the frontend without proper HTML entity encoding or escaping, allowing arbitrary JavaScript execution in the context of the WordPress site. The attack vector is network-based, requires low complexity, and demands authenticated access (contributor role minimum), but bypasses per-user protections via the stored nature of the payload.
Business impact
Organizations relying on this plugin face a multi-faceted risk. Compromised pages can silently redirect visitors, harvest credentials, inject cryptocurrency miners, or perform actions on behalf of logged-in users. The impact is amplified on sites with significant traffic or high-value user bases (e.g., customer portals, SaaS platforms). Even though the attack requires an authenticated account, many WordPress sites have numerous contributors, making the attack surface substantial. Remediation delays expose the organization to persistent reputational and operational damage.
Affected systems
All installations of the TinyMCE shortcode Addon plugin for WordPress up to and including version 1.0.0 are vulnerable. The issue affects any WordPress site running this plugin, regardless of PHP version or WordPress core version. Note that the plugin is only exploitable by users with contributor-level access or higher; authors, editors, and administrators can all execute the attack.
Exploitability
The vulnerability requires authenticated access, which limits the immediate threat to insider threats or compromised contributor accounts. However, the barrier to exploitation is low once access is obtained—no complex chain of conditions is necessary. The CVSS score of 6.4 (MEDIUM) reflects this authentication requirement and the fact that availability is not impacted, though confidentiality and integrity of visited pages are compromised. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, but the straightforward nature of the flaw suggests that functional exploits are likely to emerge.
Remediation
Disable or remove the TinyMCE shortcode Addon plugin immediately until a patched version is released by the vendor. If the plugin is business-critical, isolate its use to trusted, audited contributors only, and implement WordPress role-based access controls to restrict shortcode editing. Monitor page revisions and audit logs for suspicious changes to shortcode attributes. As a temporary workaround, use WordPress security plugins or Web Application Firewalls to detect and block malicious shortcode patterns, though this does not eliminate the underlying vulnerability.
Patch guidance
Verify the plugin vendor's advisory and security announcements for patched versions released after June 2026. Update immediately upon availability. Until then, the safest approach is deactivation and removal. Before updating, back up your WordPress installation and verify in a staging environment that the patched version does not break existing shortcode implementations or page layouts.
Detection guidance
Search your WordPress database and revision history for shortcode attributes containing javascript: protocol handlers, event handlers (onclick, onload, etc.), or script tags within the 'btnrel' attribute of TinyMCE shortcodes. Monitor audit logs for changes to pages containing the affected shortcode, particularly from contributor-level or lower-privileged accounts. Implement Content Security Policy (CSP) headers to mitigate inline script execution even if injected code is present. Use WordPress security scanning tools (e.g., Wordfence, Sucuri) configured to flag shortcode anomalies.
Why prioritize this
Although the CVSS score is MEDIUM (6.4), this vulnerability warrants HIGH priority remediation due to its stored nature, ease of exploitation, and business impact. Stored XSS on content-facing pages can compromise user data and trust at scale. The fact that it requires authentication rather than public exploitability should not lull teams into false complacency—internal threats and account compromises are real risks. Rapid patching or removal is essential.
Risk score, explained
The CVSS 3.1 score of 6.4 reflects a network-accessible flaw requiring low attack complexity and privilege escalation to contributor level. While availability is not impacted (hence the absence of 'A' in the severity), both confidentiality and integrity are compromised for site visitors. The 'scope changed' aspect indicates that the injected script can affect resources beyond the immediate vulnerable component. The MEDIUM severity label understates the business risk; organizations should treat this as a priority remediation candidate given the persistence and trust implications of stored XSS.
Frequently asked questions
Can this vulnerability be exploited by unauthenticated users?
No. Exploitation requires an authenticated WordPress account with contributor-level permissions or higher. However, many WordPress sites have numerous contributors, and account compromise is a realistic threat vector.
If I remove the plugin, will my pages break?
Pages using TinyMCE shortcodes will display the shortcode text itself (e.g., [tinymce_shortcode btnrel='value']) rather than rendered output. Review affected pages and either rebuild them without the shortcode or use an alternative plugin offering the same functionality.
Is there a patch available?
As of the vulnerability publication date (June 9, 2026), no patch version has been publicly released. Check the plugin vendor's advisory and security announcements for available updates. Do not wait passively; proactive deactivation is recommended.
Does a Web Application Firewall fully protect me?
A WAF can reduce attack surface by blocking common XSS patterns, but it is not a substitute for patching or removing the vulnerable plugin. Stored XSS is persistent in your database; WAF rules only prevent new injections and may be bypassed with obfuscation.
This analysis is based on the official CVE record as of June 17, 2026. Patch availability, vendor guidance, and exploit status may evolve. Organizations should verify compatibility and conduct testing in non-production environments before applying security updates or deactivating plugins. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and recommends cross-referencing vendor advisories and NIST resources for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2021-47982MEDIUMWP-Paginate 2.1.3 Stored XSS in Plugin Settings