PatchSiren cyber security CVE debrief

CVE-2026-6399 yog2515 CVE debrief

A stored cross-site scripting (XSS) vulnerability exists in the General Options WordPress plugin versions up to and including 1.1.0. The flaw stems from improper output escaping in the Contact Number (ad_contact_number) field. The plugin uses sanitize_text_field(), which strips HTML tags but fails to encode double-quote characters to their HTML entity equivalent ("). When the stored value is rendered inside a double-quoted HTML attribute (value="..."), an attacker-supplied double-quote breaks out of the attribute context. WordPress's wp_magic_quotes mechanism prefixes quotes with a backslash, but the resulting \" sequence is not interpreted as an escaped quote by HTML parsers—the backslash renders literally and the bare double-quote still closes the attribute. This allows authenticated administrators to inject arbitrary web scripts that execute when any administrator visits the General Options settings page. The vulnerability requires high privileges and user interaction, with attack complexity rated as high due to the need for administrative access.

Vendor: yog2515
Product: General Options
CVSS: MEDIUM 4.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-20
Original CVE updated: 2026-05-20
Advisory published: 2026-05-20
Advisory updated: 2026-05-20

Who should care

WordPress site administrators using the General Options plugin; security teams managing WordPress installations; developers maintaining WordPress plugins with custom settings fields.

Technical summary

The General Options plugin for WordPress (≤1.1.0) contains a stored XSS vulnerability in the Contact Number field. The root cause is sanitize_text_field() being used for output escaping—this function strips tags but does not encode double-quotes. When echoed in a double-quoted HTML attribute, unencoded quotes break attribute context. WordPress's wp_magic_quotes backslash escaping does not prevent HTML parsing of the quote character. Attackers with Administrator privileges can inject scripts executing for all admin page visitors.

Defensive priority

medium

Recommended defensive actions

Update the General Options plugin to a version newer than 1.1.0 when available, or remove the plugin if updates are not forthcoming.
Review administrator account access controls and audit recent administrative activity on affected WordPress installations.
Implement Content Security Policy (CSP) headers to mitigate impact of any stored XSS payloads.
Consider using WordPress security plugins that provide additional output escaping hardening for admin settings pages.
Monitor for unauthorized script injection in the General Options settings page via file integrity monitoring or scheduled security scans.

Evidence notes

Vulnerability disclosed via Wordfence and published to NVD on 2026-05-20. Source code references confirm the vulnerable implementation in plugin versions 1.1.0 and trunk. CVSS 3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as primary weakness.

Official resources

2026-05-20