Description
The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the [tt_part] and [tt] shortcodes in all versions up to and including 1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the avp_texttoggle_part_shortcode() function, the 'title' attribute is extracted from shortcode attributes and concatenated directly into HTML output without any escaping — both within an HTML attribute context (title="...") on line 116 and in HTML content on line 119. While the 'class' attribute is properly validated using ctype_alnum(), the 'title' attribute has no sanitization whatsoever. An attacker can inject double-quote characters to break out of the title attribute and inject arbitrary HTML attributes including event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-21
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via plugin shortcode title attribute
Action: Immediate Patch
AI Analysis

Impact

The Text Toggle plugin for WordPress is susceptible to stored cross‑site scripting when the 'title' attribute of the [tt_part] or [tt] shortcodes is used. Because the plugin concatenates the raw attribute value directly into both an HTML attribute and regular content without escaping, an attacker can inject quote characters and arbitrary event‑handler attributes, allowing execution of malicious scripts in the browser of any visitor to the affected page. This vulnerability is classified as CWE‑79, meaning it can compromise confidentiality, integrity, and availability through script injection.

Affected Systems

Any WordPress installation running the hoosierdragon Text Toggle plugin version 1.1 or earlier is impacted. Sites using these versions must have the plugin enabled; the flaw is triggered only when a user with Contributor‑level or higher privileges creates or edits a post containing a vulnerable shortcode.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers need authenticated Contributor (+) access to insert the malicious shortcode; once the payload is stored, it will be rendered and executed for all users who view the page, making the exploit highly effective but limited to sites that allow such content editing by that role.

Generated by OpenCVE AI on March 21, 2026 at 07:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Text Toggle plugin to the latest version available in the WordPress repository
  • If an upgrade is not possible, remove or deactivate the plugin entirely to eliminate the attack surface
  • Block Contributor and higher role users from editing or publishing content that includes shortcodes until the issue is resolved
  • Apply site‑wide input sanitization for shortcode attributes as a temporary workaround
  • Verify existing content for injected malicious titles and cleanse or delete affected posts
  • Maintain regular backups before applying changes so reversible actions are possible

Generated by OpenCVE AI on March 21, 2026 at 07:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Hoosierdragon
Hoosierdragon text Toggle
Wordpress
Wordpress wordpress
Vendors & Products Hoosierdragon
Hoosierdragon text Toggle
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the [tt_part] and [tt] shortcodes in all versions up to and including 1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the avp_texttoggle_part_shortcode() function, the 'title' attribute is extracted from shortcode attributes and concatenated directly into HTML output without any escaping — both within an HTML attribute context (title="...") on line 116 and in HTML content on line 119. While the 'class' attribute is properly validated using ctype_alnum(), the 'title' attribute has no sanitization whatsoever. An attacker can inject double-quote characters to break out of the title attribute and inject arbitrary HTML attributes including event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Text Toggle <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Hoosierdragon Text Toggle
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:38.506Z

Reserved: 2026-03-11T17:06:39.345Z

Link: CVE-2026-3997

cve-icon Vulnrichment

Updated: 2026-03-23T16:26:57.228Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:17:37.530

Modified: 2026-04-24T16:27:44.277

Link: CVE-2026-3997

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:41:31Z

Weaknesses