CVE-2026-6397 cvmh CVE debrief

Who should care

WordPress site administrators using the Sticky plugin; security teams managing content management system (CMS) deployments; developers maintaining WordPress plugins with custom shortcode implementations

Technical summary

The vulnerability stems from insufficient input sanitization and output escaping in the Sticky plugin's shortcode handler. Specifically, the `readmoretext` attribute value flows through `apply_filters()` and is directly embedded into HTML output without escaping. This pattern violates WordPress security best practices for shortcode attribute handling. The attack requires authenticated access at Contributor level or above, limiting exposure to sites with untrusted content contributors. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N reflects network attack vector, low attack complexity, low privileges required, no user interaction, changed scope, and low impacts to confidentiality and integrity.

Defensive priority

medium

Recommended defensive actions

• Update the Sticky WordPress plugin to a version newer than 2.5.6 if available
• Review existing posts and pages for unauthorized use of the cvmh-sticky shortcode with suspicious readmoretext attributes
• Implement least-privilege access controls for Contributor and Author roles pending patch availability
• Consider deploying a Web Application Firewall (WAF) rule to filter malicious shortcode payloads as a temporary mitigation
• Audit plugin code for similar unescaped output patterns in custom shortcode implementations

Evidence notes

Vulnerability confirmed via WordPress plugin repository source code analysis. The vulnerable code path is present in both the tagged 2.5.6 release and trunk versions. Wordfence assigned CVE identifier and provided technical analysis.

Official resources