A vulnerability described as problematic has been identified in dartiss Draft List Plugin up to 2.6.2 on WordPress. This affects the function WP_Post::__get of the component Shortcode Handler . The manipulation results in cross site scripting. This vulnerability was named CVE-2026-4006 . The attack may be performed from remote. There is no available exploit. Upgrading the affected component is recommended.