We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

ZeM STL Plugin Vulnerability (CVE-2026-4081)

Nick Paliughi
On this page

Security Alert Summary

The ZeM STL plugin for WordPress is affected by a stored Cross-Site Scripting (XSS) vulnerability via the [zemstl] shortcode. User-supplied shortcode attributes url, color, and bgcolor are not properly escaped before being inserted into HTML attributes, allowing authenticated users with Contributor-level access and above to store JavaScript that will execute when a page with the injected shortcode is viewed.

CVE Details

  • CVE ID: CVE-2026-4081
  • Affected component: ZeM STL plugin for WordPress
  • Affected versions: All versions up to and including 1.0
  • Published: June 2, 2026 9:16 AM
  • Last modified: June 2, 2026 1:03 PM
  • CVSS v3.1: Base score 6.4, MEDIUM — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / Privileges / Interaction: Requires authenticated attacker with low privileges (PR:L). No user interaction required (UI:N).
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • Weakness: CWE-79 (Cross-site Scripting)

Technical Details

The vulnerability is a stored Cross-Site Scripting issue triggered by the [zemstl] shortcode. The plugin accepts the url, color, and bgcolor attributes from shortcode input and interpolates those values directly into HTML attribute context without applying escaping functions such as esc_attr(). Because these values are stored and later rendered in pages, an authenticated user with Contributor-level access or higher can supply crafted input that includes script payloads. Those payloads are stored and will execute in the browser of any user who views the affected page.

The root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes. The description and references indicate the attribute values are inserted into HTML attribute context without escaping, enabling script injection when rendered.

How This Could Impact Your Website

Consider a small team managing a WordPress site: the site owner, an internal editor, and an external contractor with Contributor access who adds content. If the contractor or a compromised contributor account inserts a malicious payload via the [zemstl] shortcode attributes, that payload can run in the browser of any team member or visitor who opens the page.

Practical consequences include exposure of information accessible in the browser (for example, session tokens or content that the viewer can access), unauthorized modification of content visible to other users, and the potential to harvest email addresses or other details from pages to support targeted phishing. This increases the risk of targeted social engineering against staff and contributors, especially when internal email addresses or role information are visible on the site.

If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles; restrict contributor and author capabilities where possible.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and logs for unusual behavior or unexpected content injections.

If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WP Nano AD Plugin Vulnerability (CVE-2025-5085)
Next Post
rognone Plugin Vulnerability (CVE-2026-1451)