CVE-2026-3600

MEDIUM

Investi <= 1.0.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'maximum-num-years' Shortcode Attribute

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-3600. PoCs published by K3ysTr0K3R.

AI-analyzed exploit summary The repository contains only a minimal README with the CVE identifier and no exploit code, technical details, or functional content.

Description

The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'investi-announcements-accordion' shortcode's 'maximum-num-years' attribute in all versions up to, and including, 1.0.26. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the 'maximum-num-years' attribute value is read directly from shortcode attributes and interpolated into a double-quoted HTML attribute without any escaping (no esc_attr(), htmlspecialchars(), or similar). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Exploits (1)

github STUB
by K3ysTr0K3R · poc
https://github.com/K3ysTr0K3R/CVE-2026-3600

The repository contains only a minimal README with the CVE identifier and no exploit code, technical details, or functional content.

Classification
Stub 95%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Jun 02, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 6.4
EPSS 0.0001
EPSS Percentile 3.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
investi/Investi < 1.0.26
Published Apr 08, 2026
Tracked Since Apr 08, 2026