CVE-2026-6399 MEDIUM

CVE-2026-6399: General Options <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'ad_contact_number' Parameter

Vendor Yog2515
Product General Options
Weakness CWE-79 · XSS
Published May 20, 2026
Last update May 20, 2026

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The General Options plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.1.0. This is due to the use of sanitize_text_field() for output escaping in the Contact Number (ad_contact_number) field — a function that strips HTML tags but does not encode double-quote characters to their HTML entity equivalent (&quot;). When the stored value is echoed inside a double-quoted HTML attribute (value="..."), an attacker-supplied double-quote character breaks out of the attribute context. Even with WordPress's wp_magic_quotes mechanism (which prefixes quotes with a backslash), the resulting \" sequence is NOT treated as an escaped quote by HTML parsers — the backslash is rendered as a literal character and the bare double-quote still closes the attribute. This makes it possible for authenticated attackers with Administrator-level access and above to inject arbitrary web scripts in the admin settings page that will execute whenever any administrator visits the General Options settings page.

Explanation of Vulnerability in Simple Terms

02Summary

General Options versions 1.1.0 and earlier contain a cross-site scripting vulnerability that allows high-privilege users to inject malicious scripts affecting other users or the site. The vulnerability requires high attack complexity and high privileges to exploit. Impact is limited to low-level confidentiality and integrity compromise.

What an attacker can do

03Attacker Capabilities

Inject malicious scripts that affect other users or site functionality.

Potential impact on your site

04Site Impact

Administrators with malicious intent or compromised admin accounts could inject scripts affecting site visitors or data integrity.

Conditions required to exploit

05Prerequisites

Attacker must have high-level privileges (e.g., administrator role) and the attack requires specific conditions to succeed.

Key dates

06Disclosure timeline

May 20, 2026 CVE published
May 20, 2026 Record updated

Related vulnerabilities

08Related CVE