CVE-2026-4811 wpbean CVE debrief

Who should care

WordPress site owners and administrators using the WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin, especially where Editor-level or higher accounts can manage category content. Security teams should also review any workflow that renders category metadata on public pages.

Technical summary

NVD and the linked Wordfence advisory describe a stored XSS condition in the plugin's "Icon CSS Class" category field, caused by insufficient input sanitization and output escaping. Wordfence maps the issue to CWE-79 and NVD lists CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, yielding a 4.9 medium score. The supplied reference to the plugin source points to the vulnerable code path in admin/category-icon.php.

Defensive priority

Medium; elevate to higher operational priority on sites that expose the plugin to active Editor-level content workflows or untrusted internal users.

Recommended defensive actions

• Update the plugin to a vendor-fixed release if one is available; if no fixed version is confirmed, disable or remove the plugin until remediation is verified.
• Review all uses of the "Icon CSS Class" category field and inspect rendered pages for unexpected script or markup.
• Restrict Editor-level and higher WordPress permissions to trusted users only.
• Validate that category metadata is properly sanitized on input and escaped on output in custom code or overrides.
• Check recent content changes and page history for signs of stored content tampering or injected scripts.

Evidence notes

This debrief is based only on the supplied NVD record and its linked Wordfence and WordPress Trac references. The record published on 2026-05-21 identifies the issue as stored XSS in versions through 1.0.8, and the linked plugin source reference points to admin/category-icon.php#L41. No fixed version, exploitation campaign, or additional remediation details were provided in the corpus.

Official resources