CVE-2026-4120

March 19, 2026, 1:25 p.m.

6.4
Medium

Description

The Info Cards – Add Text and Media in Card Layouts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btnUrl' parameter within the Info Cards block in all versions up to, and including, 2.0.7. This is due to insufficient input validation on URL schemes, specifically the lack of javascript: protocol filtering. The block's render.php passes all attributes as JSON to the frontend via a data-attributes HTML attribute using esc_attr(wp_json_encode()), which prevents HTML attribute injection but does not validate URL protocols within the JSON data. The client-side view.js then renders the btnUrl value directly as an href attribute on anchor elements without any protocol sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject javascript: URLs that execute arbitrary web scripts when a user clicks the rendered button link.

Product(s) Impacted

Vendor Product Versions
Wordpress
  • Info Cards
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a wordpress info_cards / <2.0.7 / / / wordpress / /

References

https://plugins.trac.wordpress.org/browser/info-cards/tags/2.0.7/build/block.json#L35
https://plugins.trac.wordpress.org/browser/info-cards/tags/2.0.7/build/render.php#L8
https://plugins.trac.wordpress.org/browser/info-cards/tags/2.0.7/build/view.js#L2
https://plugins.trac.wordpress.org/browser/info-cards/trunk/build/block.json#L35
https://plugins.trac.wordpress.org/browser/info-cards/trunk/build/render.php#L8
https://plugins.trac.wordpress.org/browser/info-cards/trunk/build/render.php?rev=3482902
https://plugins.trac.wordpress.org/browser/info-cards/trunk/build/view.js#L2
https://www.wordfence.com/threat-intel/vulnerabilities/id/279984d9-f352-467f-a53d-814466d70326?source=cve

Tags

CWE-79
[email protected]
2026-03-19
CVE-2026-4120

CVSS Score

6.4 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: CHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    View Vector String

Timeline

Published: March 19, 2026, 7:16 a.m.
Last Modified: March 19, 2026, 1:25 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.