MEDIUM
yog2515
CVE published 2026-05-20
CVE-2026-6399
A stored cross-site scripting (XSS) vulnerability exists in the General Options WordPress plugin versions up to and including 1.1.0. The flaw stems from improper output escaping in the Contact Number (ad_contact_number) field. The plugin uses sanitize_text_field(), which strips HTML tags but fails to encode double-quote characters to their HTML entity equivalent ("). When the stored value is rendered [truncated]