Description
The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Icon CSS Class' category field in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-21
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated attacker with Editor‑level or higher privileges to store malicious JavaScript in the 'Icon CSS Class' field of a category. Because the plugin does not properly escape user input when rendering the icons, the injected script runs in the context of any visitor who views a page containing that category. This is a classic stored XSS flaw (CWE‑79), enabling attackers to hijack user sessions, deface content, or redirect users to phishing sites.

Affected Systems

The affected plugin is WPB Floating Menu or Categories – Sticky Floating Side Menu & Categories with Icons for WordPress. All installed copies of the plugin version 1.0.8 and earlier are vulnerable. No other WordPress components are mentioned as affected.

Risk and Exploitability

The CVSS score is 4.9, representing moderate severity. The EPSS score is not provided and the issue is not listed in the CISA KEV catalog, suggesting that it has not yet been widely exploited in the wild. Exploitation requires an authenticated user with the Editor role or higher. An attacker can create or modify a category and supply a crafted value for the icon CSS class; when any site visitor loads a page that displays that category, the embedded script executes, compromising that visitor’s session or delivering further payloads.

Generated by OpenCVE AI on May 21, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPB Floating Menu or Categories plugin to the latest available version where the XSS issue is fixed.
  • If an update is not immediately possible, remove or change all entries in the 'Icon CSS Class' field to safe values (e.g., empty or a known benign class) and restrict the ability to edit these fields to administrators only.
  • If you are maintaining the plugin source code, add proper input validation and output escaping around the icon CSS class field to ensure that any value stored or rendered does not execute as script.

Generated by OpenCVE AI on May 21, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpbean
Wpbean wpb Floating Menu Or Categories – Sticky Floating Side Menu & Categories With Icons
Vendors & Products Wordpress
Wordpress wordpress
Wpbean
Wpbean wpb Floating Menu Or Categories – Sticky Floating Side Menu & Categories With Icons

Thu, 21 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Icon CSS Class' category field in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WPB Floating Menu or Categories – Sticky Floating Side Menu & Categories with Icons <= 1.0.8 - Authenticated (Editor+) Stored Cross-Site Scripting via 'Icon CSS Class' Category Field
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpbean Wpb Floating Menu Or Categories – Sticky Floating Side Menu & Categories With Icons
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-21T12:29:25.470Z

Reserved: 2026-03-25T12:58:04.230Z

Link: CVE-2026-4811

cve-icon Vulnrichment

Updated: 2026-05-21T12:29:19.602Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T04:16:31.133

Modified: 2026-05-21T15:19:30.540

Link: CVE-2026-4811

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T08:18:31Z

Weaknesses