CVE-2026-3554
The vulnerability affects the Sherk Custom Post Type Displays WordPress plugin (up to version 1.2.1). In sherkcptdisplays_func(), the title attribute of the sherkcptdisplays shortcode is read via shortcode_atts() and directly concatenated into an HTML without escaping, enabling Stored XSS. Explo...