PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8846 eldougo CVE debrief

A stored cross-site scripting (XSS) vulnerability exists in the Tuxquote WordPress plugin, affecting versions up to and including 1.3. The flaw resides in the `tuxquote_build_format()` function, which fails to sanitize or escape user-supplied attributes (`title`, `align`, `width`) before rendering them in HTML output. Authenticated attackers with Contributor-level privileges or higher can inject arbitrary JavaScript via the `TUXQUOTE` shortcode, which executes when any user views the affected page. The vulnerability was disclosed on 2026-05-27 and carries a CVSS 3.1 score of 6.4 (Medium severity). No known exploitation in ransomware campaigns has been reported.

Vendor
eldougo
Product
Tuxquote
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using the Tuxquote plugin; security teams managing content management system (CMS) deployments; developers maintaining WordPress plugins with shortcode functionality; organizations with Contributor or Author user roles enabled for non-administrative content creators

Technical summary

The Tuxquote plugin's `tuxquote_build_format()` function directly concatenates user-controlled shortcode attributes into HTML output without passing through WordPress escaping functions `esc_attr()` or `esc_html()`. The vulnerable attributes—`title`, `align`, and `width`—are rendered in the generated markup, allowing script injection. Because this is a stored XSS vulnerability, the malicious payload persists in the database and executes for all users viewing the injected content. The attack requires authenticated access with Contributor capabilities or higher, limiting exposure to insider threats or compromised accounts with elevated privileges. The CVSS 3.1 score of 6.4 reflects network attack vector, low attack complexity, low privileges required, no user interaction, and changed scope with low impacts to confidentiality and integrity.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Tuxquote plugin to version 1.4 or later if available; otherwise, disable the plugin until a patch is released
  • Review existing posts and pages for unauthorized TUXQUOTE shortcode usage, particularly checking the title, align, and width attributes for suspicious script content
  • Implement Content Security Policy (CSP) headers to mitigate impact of any unpatched XSS vectors
  • Restrict Contributor and Author role assignments to trusted users only, as these roles can exploit this vulnerability
  • Enable WordPress automatic plugin updates or subscribe to security advisories for the Tuxquote plugin to receive timely patch notifications
  • Consider using a Web Application Firewall (WAF) rule to filter malicious payloads in shortcode attributes as a temporary defense layer

Evidence notes

Vulnerability confirmed via Wordfence security advisory and WordPress plugin repository source code review. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as root cause. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Official resources

2026-05-27