Stored Cross-Site Scripting in WPB Floating Menu & Categories Plugin for WordPress
CVE-2026-4811

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: WPb Floating Menu Or Categories – Sticky Floating Side Menu & Categories With Icons
Vendor: CVE Published:; 21 May 2026

What is CVE-2026-4811?

The WPB Floating Menu & Categories plugin for WordPress is subject to a Stored Cross-Site Scripting vulnerability. This flaw arises from inadequate input sanitization and output escaping within the 'Icon CSS Class' category field. This allows attackers with Editor-level access or higher to inject malicious scripts into web pages. When users visit these compromised pages, the scripts execute, leading to potential data theft, site compromise, or other malicious activities.

Affected Version(s)

WPB Floating Menu or Categories – Sticky Floating Side Menu & Categories with Icons 0 <= 1.0.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wpb-floating-m...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2026
Vulnerability Reserved
Mar 25, 2026

Credit

HA GIA BAO

CVE-2026-4811 Data

JSON