PatchSiren cyber security CVE debrief
CVE-2026-10024 360crest CVE debrief
The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Vendor
- 360crest
- Product
- TinyMCE shortcode Addon
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of TinyMCE shortcode Addon plugin for WordPress, version 1.0.0 or earlier, should update to the latest version to prevent Stored Cross-Site Scripting attacks.
Technical summary
The vulnerability exists in the TinyMCE shortcode Addon plugin for WordPress, specifically in the 'btnrel' Shortcode Attribute. The plugin does not properly sanitize input and escape output, allowing authenticated attackers with contributor-level access or higher to inject malicious scripts.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to the latest version of TinyMCE shortcode Addon plugin for WordPress.
- Restrict access to the plugin's functionality to prevent unauthorized users from injecting malicious scripts.
Evidence notes
The CVE-2026-10024 record and NVD detail provide information on the vulnerability, including its CVSS score and vector.
Official resources
CVE-2026-10024 was published on 2026-06-09T05:16:29.540Z and modified on 2026-06-09T13:33:34.393Z.