Attack Vectors

CVE-2026-4005 is a Medium-severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 6.4) affecting the Coachific Shortcode WordPress plugin (slug: coachific-shortcode) in all versions up to and including 1.0.

The attack requires an authenticated WordPress account with at least Contributor privileges (or higher). An attacker can place a malicious payload in the shortcode’s userhash attribute. Because the payload can be stored and later executed when content is viewed, this becomes a “stored” XSS risk rather than a one-time, click-driven issue.

In practical terms for business teams: if your editorial workflow includes guest authors, contractors, interns, or multiple internal contributors, this expands the pool of accounts that could be abused through phishing, credential reuse, or insider risk—without requiring admin-level access.

Security Weakness

The vulnerability exists due to insufficient input handling for a JavaScript context. The plugin applies sanitize_text_field() to the userhash value, which can remove HTML tags but does not properly protect against characters that are significant inside a JavaScript string (for example, quotes and other characters that can break out of a string).

Per the published advisory, the sanitized value is then directly interpolated into a JavaScript string within a <script> tag without appropriate JavaScript-specific escaping, enabling Stored XSS under the right conditions.

Reference: CVE-2026-4005 record and the research write-up from Wordfence Threat Intelligence.

Technical or Business Impacts

Stored XSS can translate quickly into business risk because it can execute in a trusted website context. Potential outcomes include: session theft (leading to account takeover), unauthorized actions performed as the victim user, content manipulation, and the insertion of deceptive prompts that capture leads or payment information.

For marketing and executive stakeholders, the most likely high-impact scenarios are brand damage (malicious pop-ups or defacement visible to customers), lead and revenue loss (redirecting campaign traffic), and compliance exposure (customer data capture via deceptive forms). Even with a Medium CVSS score, the “stored” nature means the payload can persist on high-traffic pages until discovered.

Remediation status: there is no known patch available at this time. Based on risk tolerance, the safest approach may be to uninstall Coachific Shortcode and replace it with an alternative that is actively maintained. If removal is not immediately possible, consider mitigations such as restricting Contributor access, tightening publishing workflows (e.g., requiring review before publish), and increasing monitoring for unexpected script behavior on public pages.

Similar Attacks

Stored XSS has been used historically to spread quickly and impact large audiences by executing in the context of trusted sites and user sessions. Notable real-world examples include:

The “Samy” MySpace worm (stored XSS)
The 2010 “onMouseOver” Twitter XSS incident (self-propagating behavior)