CVE-2026-4081: Stored XSS in ZeM STL WordPress Plugin via Shortcode Attributes
The ZeM STL plugin for WordPress contains a vulnerability that allows authenticated users with Contributor-level permissions or higher to inject malicious scripts into website pages. When someone visits a page containing the injected script, their browser executes the attacker's code. This happens because the plugin doesn't properly clean or escape user input when processing shortcode parameters like 'url', 'color', and 'bgcolor'. All versions up to 1.0 are affected.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
The ZeM STL plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [zemstl] shortcode in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically the 'url', 'color', and 'bgcolor' parameters. These attribute values are directly interpolated into HTML attribute context without being passed through esc_attr() or any other escaping function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
9 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-4081 is a Stored Cross-Site Scripting (XSS) vulnerability in the ZeM STL WordPress plugin. The vulnerability exists in the [zemstl] shortcode handler, which accepts user-supplied attributes without proper sanitization or output escaping. Specifically, the 'url', 'color', and 'bgcolor' parameters are directly interpolated into HTML attributes without using WordPress escaping functions like esc_attr(). An authenticated attacker with Contributor or higher privileges can craft a malicious shortcode that persists in the database and executes arbitrary JavaScript in the browser context of any visitor, achieving code execution in the site's frontend execution context with cross-site scope.
Business impact
This vulnerability creates a persistent attack vector on WordPress sites using the ZeM STL plugin. An attacker with Contributor access could deface pages, harvest user data, redirect visitors to malicious sites, or inject credential-stealing forms. Since the XSS is stored, every user viewing the affected page becomes a victim. Organizations relying on contributor-level permissions for editorial teams should assume that compromised contributor accounts or malicious insiders pose a real risk. The CVSS score of 6.4 reflects medium severity, but the stored nature and site-wide impact make this a practical concern for website availability and user trust.
Affected systems
WordPress installations running the ZeM STL plugin version 1.0 and earlier are vulnerable. The attack requires the attacker to have at least Contributor-level authentication, meaning they must have a valid WordPress user account with that privilege or higher. Sites that restrict contributor access to trusted team members face lower risk; sites that widely distribute contributor credentials face higher risk.
Exploitability
Exploitation requires valid WordPress authentication and Contributor-level privileges or above. No network-level exploit is possible; the attacker must have legitimate access to the WordPress admin or editor interface. The attack surface is internal to the organization's WordPress user base, making external mass exploitation unlikely. However, the ease of execution once credentials are obtained—simply inserting a malicious shortcode—is very high.
Remediation
Update the ZeM STL plugin to a patched version that properly sanitizes and escapes the 'url', 'color', and 'bgcolor' parameters. Check the plugin's GitHub repository or the WordPress plugin directory for an available update. If no patch is available, consider disabling or removing the plugin. As a temporary mitigation, restrict Contributor-level access to only highly trusted users, and conduct an audit of existing pages using the [zemstl] shortcode to identify any injected malicious code.
Patch guidance
Verify the latest available version of the ZeM STL plugin against the official WordPress plugin directory or the vendor's GitHub repository to confirm that a patch addressing improper input sanitization has been released. The vulnerability affects versions up to and including 1.0; any version released after CVE-2026-4081 publication should be evaluated for the fix. After patching, audit all pages that use the [zemstl] shortcode to ensure no malicious payloads have been stored. Test the patched version in a staging environment before deploying to production.
Detection guidance
Search your WordPress database for pages or posts containing the [zemstl] shortcode with suspicious attribute values, particularly within 'url', 'color', and 'bgcolor' parameters. Look for encoded JavaScript, event handlers (e.g., onerror=, onclick=), or unusual protocol schemes (e.g., javascript:, data:). Enable WordPress security logging and monitor for Contributor-level users creating or modifying posts with this shortcode. Use Web Application Firewalls (WAF) to detect and block stored XSS payloads before they are rendered. Review user access logs for Contributor accounts during and after the vulnerability window to identify suspicious activity.
Why prioritize this
Although this vulnerability has a CVSS score of 6.4 (Medium severity) and is not listed as a Known Exploited Vulnerability (KEV), it merits prompt attention because it is stored XSS affecting all site visitors. It requires only basic authentication, making it a realistic insider-risk or compromised-account threat. Organizations with permissive contributor access policies should prioritize patching above other Medium-severity issues. For sites with tight access controls, prioritization can be lower but should not be deferred indefinitely.
Risk score, explained
The CVSS 3.1 score of 6.4 reflects: Network accessibility (AV:N), low attack complexity (AC:L), and low privileges required (PR:L) tempered by the requirement for user interaction at the privilege escalation phase. The scope is changed (S:C), affecting resources beyond the vulnerable component, and confidentiality and integrity are impacted (C:L, I:L) but availability is not affected (A:N). This balances the ease of exploitation and persistence of the attack against the limitation that valid authentication is required upfront.
Frequently asked questions
Who can exploit this vulnerability?
Only authenticated WordPress users with Contributor-level access or higher (Editor, Admin) can exploit this vulnerability. They must have a valid WordPress login and sufficient permissions to create or edit posts and use shortcodes. This typically includes content editors, bloggers, and administrative staff.
Can external users exploit this without credentials?
No. An attacker must possess valid WordPress credentials with at least Contributor privileges. External unauthenticated users cannot exploit this vulnerability. However, if a Contributor account is compromised (weak password, phishing, credential reuse), an external attacker could then launch the exploit.
What happens if I don't update?
If the plugin is not updated and a malicious actor gains or already has Contributor access, they can inject stored XSS payloads that execute in the browsers of all site visitors. This could lead to data theft, malware distribution, account compromise, or reputation damage. The vulnerability persists in the database until manually removed or the plugin is patched.
Does this affect database backups?
If a malicious shortcode has been stored in a page or post, it will exist in database backups until those backups are either purged or the malicious content is removed and the database is re-backed up. When restoring from a backup that contains the payload, the XSS vulnerability remains exploitable on the restored site.
This analysis is provided for informational purposes and should not be construed as legal, technical, or business advice. Organizations are responsible for assessing the risk and impact of this vulnerability within their specific environments and for validating all patch versions against official vendor advisories. The CVSS score, affected versions, and patch availability information are based on ground-truth data current as of the publication date; please verify against the latest official sources. No exploit code or weaponized proof-of-concept is provided in this documentation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1