Attack Vectors
CVE-2026-4011 is a Medium-severity Stored Cross-Site Scripting (XSS) issue (CVSS 6.4) affecting Power Charts – Responsive Beautiful Charts & Graphs (plugin slug: wpgo-power-charts-lite) in versions <= 0.1.0.
The attack requires an authenticated WordPress user with at least Contributor permissions (or any role allowed to publish/edit content where shortcodes are processed). An attacker can place a crafted [pc] shortcode into a post/page and manipulate the id shortcode attribute so that malicious script is stored in your database and later executed when the content is viewed.
Because this is stored XSS, it can affect multiple visitors over time, including internal staff who review content in the browser. The provided CVSS vector indicates low attack complexity and network reachability, with scope change (S:C), which is often a sign that a compromise can “jump” context (for example, impacting admin sessions when admins view affected pages).
Security Weakness
The vulnerability is caused by insufficient input sanitization and output escaping of the id attribute in the plugin’s [pc] shortcode handler. According to the public analysis, the shortcode’s id value is extracted from user-supplied attributes and concatenated into an HTML div element’s class attribute without proper escaping, and the output is subsequently passed through html_entity_decode(), which can further increase risk.
In practical business terms, this means the plugin may accept and render untrusted content in a way that the browser interprets as executable script—turning a content entry point into a persistent web attack.
Remediation note: At the time of the referenced advisory, there is no known patch available. Organizations should evaluate mitigation options based on risk tolerance, and it may be most appropriate to uninstall the affected software and replace it with an alternative.
Technical or Business Impacts
Stored XSS can create immediate and measurable business risk, especially on marketing sites that handle lead flow, brand trust, and analytics:
Brand and customer trust impact: Malicious scripts can deface pages, inject unwanted pop-ups, redirect visitors, or alter on-page messaging—damaging brand credibility and reducing conversion rates.
Account and session risk: If a privileged user (such as an Administrator, Marketing Ops, or Content Manager) views an affected page while logged in, attacker-controlled scripts may be able to interact with the session in the browser. This can lead to unauthorized actions performed in that user’s context, depending on what security controls are in place.
Data exposure and compliance concerns: Scripts can potentially read and exfiltrate data visible in the browser (for example, page content, form data entered by users, or other sensitive information rendered client-side). This can create downstream compliance and incident response obligations depending on your environment and regulatory scope.
Operational disruption: Investigating stored XSS often requires content audits, page cleanup, and broader access reviews (who can publish, who can use shortcodes, and what plugins are active). This can disrupt marketing campaigns and publishing timelines.
Given the Medium severity and the lack of a known patch, risk reduction typically focuses on removal/replacement of the plugin, limiting content publishing rights to trusted users, and adding compensating controls (e.g., a WAF, tighter editorial workflows, and monitoring for unexpected shortcode usage).
Similar Attacks
Stored XSS vulnerabilities that require authenticated access (often at Contributor/Author level) have been a recurring issue across CMS ecosystems. For reference, here is a well-known example in WordPress core:
These incidents underscore a consistent business lesson: even “non-admin” publishing roles can become a meaningful attack path when plugins or themes render user-controlled attributes without strong sanitization and escaping—particularly on high-visibility marketing pages.
Recent Comments