Description
The Info Cards – Add Text and Media in Card Layouts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btnUrl' parameter within the Info Cards block in all versions up to, and including, 2.0.7. This is due to insufficient input validation on URL schemes, specifically the lack of javascript: protocol filtering. The block's render.php passes all attributes as JSON to the frontend via a data-attributes HTML attribute using esc_attr(wp_json_encode()), which prevents HTML attribute injection but does not validate URL protocols within the JSON data. The client-side view.js then renders the btnUrl value directly as an href attribute on anchor elements without any protocol sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject javascript: URLs that execute arbitrary web scripts when a user clicks the rendered button link.
Published: 2026-03-19
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Info Cards – Add Text and Media in Card Layouts plugin for WordPress is vulnerable to Stored Cross‑Site Scripting. Attackers with authenticated Contributor-level or higher can inject a malicious javascript: URL into the btnUrl parameter of the block. When the block is rendered, the client‑side code inserts this value directly into an href attribute of an anchor element without protocol sanitization. As a result, legitimate users clicking the link will trigger arbitrary client‑side code in the victim’s browser, leading to potential data theft, session hijacking, or site defacement. This weakness is classified as CWE‑79.

Affected Systems

The vulnerability affects the bplugins:Info Cards – Add Text and Media in Card Layouts WordPress plugin in all versions up to and including 2.0.7. No later version information is provided in the available data, so any instance running 2.0.7 or earlier is potentially exposed.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The EPSS score is not provided, and the vulnerability is not listed in CISA’s KEV catalog. Attackers must first authenticate with Contributor or higher privilege to edit the block; therefore the vector is local. Once the malicious URL is stored, it will affect all users who view the block, allowing the attacker to execute injected scripts in the context of the visible site. While the attack cannot be launched remotely without authentication, a compromised contributor account or social engineering of such an account can lead to widespread compromise within the site.

Generated by OpenCVE AI on March 19, 2026 at 08:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Immediately upgrade the Info Cards plugin to a version newer than 2.0.7
  • If an upgrade is not feasible, restrict Contributor+ users from editing Info Cards blocks or disable the block entirely until a patch is available
  • Verify that no existing stored javascript: URLs remain in the database and sanitize or remove them if found

Generated by OpenCVE AI on March 19, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Bplugins
Bplugins info Cards – Add Text And Media In Card Layouts
Wordpress
Wordpress wordpress
Vendors & Products Bplugins
Bplugins info Cards – Add Text And Media In Card Layouts
Wordpress
Wordpress wordpress

Thu, 19 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Info Cards – Add Text and Media in Card Layouts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btnUrl' parameter within the Info Cards block in all versions up to, and including, 2.0.7. This is due to insufficient input validation on URL schemes, specifically the lack of javascript: protocol filtering. The block's render.php passes all attributes as JSON to the frontend via a data-attributes HTML attribute using esc_attr(wp_json_encode()), which prevents HTML attribute injection but does not validate URL protocols within the JSON data. The client-side view.js then renders the btnUrl value directly as an href attribute on anchor elements without any protocol sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject javascript: URLs that execute arbitrary web scripts when a user clicks the rendered button link.
Title Info Cards <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Bplugins Info Cards – Add Text And Media In Card Layouts
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:57.427Z

Reserved: 2026-03-13T13:30:30.809Z

Link: CVE-2026-4120

cve-icon Vulnrichment

Updated: 2026-03-20T15:17:50.757Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T07:16:00.290

Modified: 2026-03-19T13:25:00.570

Link: CVE-2026-4120

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:15:50Z

Weaknesses