MEDIUM
cvmh
CVE published 2026-05-20
CVE-2026-6397
The Sticky plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in versions up to and including 2.5.6. The flaw exists in the `cvmh_sticky_front_render()` function, where the `readmoretext` attribute of the `cvmh-sticky` shortcode is passed through `apply_filters()` and directly concatenated into HTML output without escaping functions such as `esc_html()`. This allows authentica [truncated]