CVE-2026-6399— General Options <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'ad_contact_number' Parameter
Possible ATT&CK Techniques 1AI
T1059.001 · PowerShellAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| yog2515 | General Options | ≤ 1.1.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-6399
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
General Options <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'ad_contact_number' Parameter
Source: NVD (National Vulnerability Database)
Vulnerability Description
The General Options plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.1.0. This is due to the use of sanitize_text_field() for output escaping in the Contact Number (ad_contact_number) field — a function that strips HTML tags but does not encode double-quote characters to their HTML entity equivalent ("). When the stored value is echoed inside a double-quoted HTML attribute (value="..."), an attacker-supplied double-quote character breaks out of the attribute context. Even with WordPress's wp_magic_quotes mechanism (which prefixes quotes with a backslash), the resulting \" sequence is NOT treated as an escaped quote by HTML parsers — the backslash is rendered as a literal character and the bare double-quote still closes the attribute. This makes it possible for authenticated attackers with Administrator-level access and above to inject arbitrary web scripts in the admin settings page that will execute whenever any administrator visits the General Options settings page.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress plugin General Options 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin General Options 1.1.0及之前版本存在跨站脚本漏洞,该漏洞源于sanitize_text_field函数未编码双引号字符,可能导致具有管理员及以上权限的认证攻击者在管理设置页面注入任意Web脚本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| yog2515 | General Options | 0 ~ 1.1.0 | - |
II. Public POCs for CVE-2026-6399
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-6399
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-6399 (3)
Vendor Advisories for CVE-2026-6399 (1)
IV. Related Vulnerabilities
Same weakness: CWE-79
- CVE-2026-9357
vBulletin Login cross site scripting - CVE-2018-25349
userSpice 4.3.24 Cross-Site Scripting via X-Forwarded-For He - CVE-2026-41147
NukeViet CMS: Stored Cross-Site Scripting (XSS) via insuffic - CVE-2026-40607
MantisBT is Vulnerable to Stored XSS Through its Saved-Filte - CVE-2026-40598
MantisBT has Potential Referer-Based Reflected HTML Injectio
V. Comments for CVE-2026-6399
No comments yet