CVE-2026-4088 - Vulnerability Details

- Switch CTA Box <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description

The Switch CTA Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppw_cta_box' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user-supplied post meta values including 'cta_box_button_link', 'cta_box_button_id', 'cta_box_button_text', and 'cta_box_description'. The shortcode reads post meta from a user-specified post ID and echoes these values directly into HTML output without any escaping functions (no esc_attr(), esc_url(), or esc_html()). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2026-04-22

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Switch CTA Box plugin contains a stored cross‑site scripting vulnerability in all releases up to and including 1.1. Insufficient sanitization of user‑supplied post meta such as link, button ID, text, and description allows an attacker to inject arbitrary JavaScript that will run for any visitor to a page containing the shortcode. The flaw is scoped to authenticated users with contributor or higher privileges, meaning sites with many contributors are at risk.

Affected Systems

WordPress sites running the Switch CTA Box plugin version 1.1 or earlier. The vulnerability appears in the plugin’s active shortcode implementation, which displays content on post pages identified by a supplied post ID.

Risk and Exploitability

The CVSS score of 6.4 categorises this as a medium‑severity flaw. The EPSS score is not available, but the lack of listing in CISA’s KEV catalog suggests no widespread public exploitation is yet documented. Exploitation requires credentials with contributor access and involves injecting script payloads into the plugin’s shortcode output. Once injected, the payload executes in the context of any site visitor, potentially allowing defacement, cookie theft, or other client‑side attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wpshouter

Switch CTA Box

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1

No data.

Vendor Product Confidence Versions

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Wpshouter

Switch Cta Box

100%

Version	Status	Scheme	Platform
`[0,1.1]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Switch CTA Box to the latest stable release that includes the stored‑XSS fix (e.g., version 1.2 or later).
If an upgrade cannot be performed immediately, remove or disable the 'wppw_cta_box' shortcode from all themes and pages until the plugin is patched.
As a temporary workaround for sites that must keep the shortcode, edit the shortcode handler to wrap all user‑supplied values with WordPress escaping functions such as esc_attr(), esc_url(), and esc_html().
Restrict contributor‑level user permissions to only those who are fully trusted, reducing the number of accounts that can introduce malicious payloads.

Generated by OpenCVE AI on April 22, 2026 at 09:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/box_display_template.php#L14
https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/box_display_template.php#L18
https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/box_display_template.php#L2
https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/shortcode_setup.php#L8
https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/box_display_template.php#L14
https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/box_display_template.php#L18
https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/box_display_template.php#L2
https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/shortcode_setup.php#L8
https://www.wordfence.com/threat-intel/vulnerabilities/id/19a3fc90-b81c-4451-80e0-cead99a2dcd9?source=cve

History

Wed, 22 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Wpshouter Wpshouter switch Cta Box
Vendors & Products		Wordpress Wordpress wordpress Wpshouter Wpshouter switch Cta Box

Wed, 22 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		The Switch CTA Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppw_cta_box' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user-supplied post meta values including 'cta_box_button_link', 'cta_box_button_id', 'cta_box_button_text', and 'cta_box_description'. The shortcode reads post meta from a user-specified post ID and echoes these values directly into HTML output without any escaping functions (no esc_attr(), esc_url(), or esc_html()). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Switch CTA Box <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/box_display_template.php#L14 https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/box_display_template.php#L18 https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/box_display_template.php#L2 https://plugins.trac.wordpress.org/browser/switch-cta-box/tags/1.1/inc/shortcode_setup.php#L8 https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/box_display_template.php#L14 https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/box_display_template.php#L18 https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/box_display_template.php#L2 https://plugins.trac.wordpress.org/browser/switch-cta-box/trunk/inc/shortcode_setup.php#L8 https://www.wordfence.com/threat-intel/vulnerabilities/id/19a3fc90-b81c-4451-80e0-cead99a2dcd9?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

Wpshouter Switch Cta Box

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-22T07:45:31.826Z

Updated: 2026-04-22T07:45:31.826Z

Reserved: 2026-03-12T21:01:55.593Z

Link: CVE-2026-4088

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-04-22T09:16:22.560

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-4088

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T11:44:21Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object