PatchSiren cyber security CVE debrief
CVE-2026-8877 esiteq CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in the Responsive Video Embedder WordPress plugin, affecting versions up to and including 0.1. The flaw resides in the plugin's `video_shortcode()` function, which fails to sanitize or escape user-supplied attributes—specifically the 'id' and 'list' parameters—before concatenating them into an HTML iframe's src attribute. This allows authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript payloads that execute when other users view compromised pages. The vulnerability was disclosed on 2026-05-27 and carries a CVSS 3.1 score of 6.4 (Medium severity). No known exploitation in ransomware campaigns has been reported.
- Vendor
- esiteq
- Product
- Responsive Video Embedder
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
WordPress site administrators using Responsive Video Embedder plugin; security teams managing WordPress content management environments; developers maintaining plugins with shortcode handlers
Technical summary
The Responsive Video Embedder plugin's `rem_video` shortcode handler directly interpolates user-controlled 'id' and 'list' attributes into an iframe src URL without sanitization or output escaping. This classic stored XSS pattern enables privilege escalation from authenticated contributor to arbitrary script execution in victim browsers. The attack vector requires no user interaction beyond viewing a compromised post.
Defensive priority
medium
Recommended defensive actions
- Update Responsive Video Embedder plugin to a version newer than 0.1 if available, or remove the plugin if no patch exists
- Review WordPress user roles and restrict contributor access where unnecessary
- Audit existing posts and pages for suspicious [rem_video] shortcode usage, particularly examining 'id' and 'list' attributes for JavaScript payloads
- Implement Content Security Policy (CSP) headers to mitigate impact of any injected scripts
- Enable WordPress automatic updates for plugins to reduce exposure window for future vulnerabilities
- Consider Web Application Firewall (WAF) rules to filter malicious input in shortcode attributes
Evidence notes
Vulnerability confirmed via Wordfence security advisory and source code analysis at lines 152 and 167 of responsive-video-embedder.php. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as root cause.
Official resources
2026-05-27