CVE-2026-4022 - Vulnerability Details

- Show Posts list <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description

The Show Posts list – Easy designs, filters and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_type' shortcode attribute in the 'swiftpost-list' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2026-03-21

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw permits an authenticated user with contributor or higher privileges to insert arbitrary scripts via the ‘post_type’ attribute in the ‘swiftpost‑list’ shortcode. Because the plugin sanitizes and escapes this attribute incorrectly, the injected code is stored and later rendered in browsers of any visitor to the affected page, enabling phishing, credential theft, or other malicious activity.

Affected Systems

The Show Posts list – Easy designs, filters and more plugin by creativedev4 is affected in all releases up to and including 1.1.0. Users with contributor-level or higher access can exploit the shortcode to inject the payload.

Risk and Exploitability

The CVSS score of 6.4 marks this issue as moderate severity. No EPSS entry and absence from the CISA KEV catalog suggest that exploitation has not been widely observed yet, but the stored nature of the XSS means every page view by an ordinary user triggers the malicious code. Attackers must first authenticate with at least contributor rights, limiting but not eliminating the threat. Once a valid injected payload is present, it can execute in the browser context of all visitors to the compromised content.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

creativedev4

Show Posts list – Easy designs, filters and more

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.0

No data.

Vendor Product Confidence Versions

Creativedev4

Show Posts List – Easy Designs, Filters And More

100%

Version	Status	Scheme	Platform
`[0,1.1.0]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Show Posts list plugin to the latest available version, which removes the vulnerable handling of the post_type attribute.
If an immediate upgrade is not possible, revoke contributor or higher privileges for users who do not need them or adjust role capabilities to restrict shortcode usage.
Delete or replace all instances of the swiftpost‑list shortcode in existing content until a patched version is installed.
Regularly monitor the plugin’s update releases and apply security fixes as soon as they become available.

Generated by OpenCVE AI on March 21, 2026 at 07:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00078.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L103
https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L119
https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L21
https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L43
https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L103
https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L119
https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L21
https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L43
https://www.wordfence.com/threat-intel/vulnerabilities/id/fc6634bc-4427-44b6-bf77-d97d5b49e82f?source=cve

History

Mon, 23 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Creativedev4 Creativedev4 show Posts List – Easy Designs, Filters And More Wordpress Wordpress wordpress
Vendors & Products		Creativedev4 Creativedev4 show Posts List – Easy Designs, Filters And More Wordpress Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type	Values Removed	Values Added
Description		The Show Posts list – Easy designs, filters and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_type' shortcode attribute in the 'swiftpost-list' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Show Posts list <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L103 https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L119 https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L21 https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/tags/1.1.0/post-shortcode.php#L43 https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L103 https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L119 https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L21 https://plugins.trac.wordpress.org/browser/show-posts-shortcodes/trunk/post-shortcode.php#L43 https://www.wordfence.com/threat-intel/vulnerabilities/id/fc6634bc-4427-44b6-bf77-d97d5b49e82f?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Creativedev4 Show Posts List – Easy Designs, Filters And More

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-03-21T03:27:13.613Z

Updated: 2026-04-08T17:34:44.804Z

Reserved: 2026-03-11T20:18:12.165Z

Link: CVE-2026-4022

Vulnrichment

Updated: 2026-03-23T17:45:58.658Z

NVD

Status : Awaiting Analysis

Published: 2026-03-21T04:17:39.853

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-4022

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T14:41:20Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object