Vulnerabilities and security researches forer-swiffy-insert er-swiffy-insert

Apr 24, 2026

CVE, Research URL: CVE-2026-4082
Home page URL: Security reports for ER Swiffy Insert
Application: ER Swiffy Insert
Date: Apr 22, 2026
Research Description: The ER Swiffy Insert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [swiffy] shortcode in all versions up to and including 1.0.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes ('n', 'w', 'h'). These attributes are extracted using extract() and directly interpolated into the HTML output without any escaping such as esc_attr(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 1.0.0.
Status: vulnerable