{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3600", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-05T13:47:35.910Z", "datePublished": "2026-04-08T04:27:16.381Z", "dateUpdated": "2026-04-08T16:52:34.895Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:34.895Z"}, "affected": [{"vendor": "investi", "product": "Investi", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.26", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'investi-announcements-accordion' shortcode's 'maximum-num-years' attribute in all versions up to, and including, 1.0.26. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the 'maximum-num-years' attribute value is read directly from shortcode attributes and interpolated into a double-quoted HTML attribute without any escaping (no esc_attr(), htmlspecialchars(), or similar). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Investi <= 1.0.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'maximum-num-years' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51aa0d86-e623-46d1-9d37-a36b4825c071?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/investi/trunk/includes/widgets.php#L14"}, {"url": "https://plugins.trac.wordpress.org/browser/investi/tags/1.0.22/includes/widgets.php#L14"}, {"url": "https://plugins.trac.wordpress.org/browser/investi/trunk/includes/widgets.php#L7"}, {"url": "https://plugins.trac.wordpress.org/browser/investi/tags/1.0.22/includes/widgets.php#L7"}, {"url": "https://plugins.trac.wordpress.org/changeset/3486937/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2026-04-07T16:02:59.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:21:03.370661Z", "id": "CVE-2026-3600", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:21:13.307Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3600", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:21:03.370661Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:21:09.773Z"}}], "cna": {"title": "Investi <= 1.0.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'maximum-num-years' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "investi", "product": "Investi", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.26"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-07T16:02:59.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51aa0d86-e623-46d1-9d37-a36b4825c071?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/investi/trunk/includes/widgets.php#L14"}, {"url": "https://plugins.trac.wordpress.org/browser/investi/tags/1.0.22/includes/widgets.php#L14"}, {"url": "https://plugins.trac.wordpress.org/browser/investi/trunk/includes/widgets.php#L7"}, {"url": "https://plugins.trac.wordpress.org/browser/investi/tags/1.0.22/includes/widgets.php#L7"}, {"url": "https://plugins.trac.wordpress.org/changeset/3486937/"}], "descriptions": [{"lang": "en", "value": "The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'investi-announcements-accordion' shortcode's 'maximum-num-years' attribute in all versions up to, and including, 1.0.26. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the 'maximum-num-years' attribute value is read directly from shortcode attributes and interpolated into a double-quoted HTML attribute without any escaping (no esc_attr(), htmlspecialchars(), or similar). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T04:27:16.381Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3600", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:21:13.307Z", "dateReserved": "2026-03-05T13:47:35.910Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T04:27:16.381Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'investi-announcements-accordion' shortcode's 'maximum-num-years' attribute in all versions up to, and including, 1.0.26. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the 'maximum-num-years' attribute value is read directly from shortcode attributes and interpolated into a double-quoted HTML attribute without any escaping (no esc_attr(), htmlspecialchars(), or similar). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-3600", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T05:16:05.960", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/investi/tags/1.0.22/includes/widgets.php#L14"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/investi/tags/1.0.22/includes/widgets.php#L7"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/investi/trunk/includes/widgets.php#L14"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/investi/trunk/includes/widgets.php#L7"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3486937/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51aa0d86-e623-46d1-9d37-a36b4825c071?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.26]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Investi", "source": "cna", "vendor": "investi"}, "product": "investi", "vendor": "investi"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T05:20:30.024480+00:00", "value": {"mitigation_remediation": ["Update Investi to the latest version (1.0.27 or later).", "If an upgrade is not possible, remove or disable the investi\u2011announcements\u2011accordion shortcode from site content.", "Restrict Contributor role or revoke it from untrusted users.", "Apply site\u2011wide content filtering or CSP headers to mitigate potential script execution."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Any WordPress site that installs the Investi plugin version 1.0.26 or earlier is affected. The vulnerability is present in all releases through 1.0.26, regardless of the WordPress core version.", "description_and_impact": "The Investi WordPress plugin fails to sanitize the maximum\u2011num\u2011years attribute of its investi\u2011announcements\u2011accordion shortcode, allowing an authenticated Contributor or higher user to embed arbitrary JavaScript. The inserted script is stored in the database and delivered to any visitor who views a page containing the shortcode, potentially stealing credentials, defacing content, or performing further malicious actions on behalf of the user. This flaw corresponds to CWE\u201179, a classic stored XSS weakness.", "risk_and_exploitability": "The flaw carries a CVSS score of 6.4, indicating moderate severity. EPSS data is not published, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only Contributor\u2011level login, which is a common role on many sites. Once an attacker supplies a malicious maximum\u2011num\u2011years value, the payload is stored in the database and will execute for any user who loads the affected page, making the attack straightforward and low\u2011cost for an authenticated user."}}}}, "created": "2026-04-08T19:33:22.238766+00:00", "updated": "2026-04-08T19:43:58.432199+00:00", "vendors": ["investi", "investi$PRODUCT$investi", "wordpress", "wordpress$PRODUCT$wordpress"]}