CVE-2026-8872 fides-it CVE debrief

Who should care

WordPress site administrators, security teams managing WordPress installations, web application developers using shortcode-based plugins, and organizations with contributor-level user workflows.

Technical summary

The vulnerability stems from missing `esc_attr()` calls in `shortcode_args_to_html_attrs()`, which directly interpolates user input into HTML attribute strings. The `animation-set` shortcode accepts arbitrary attributes that are reflected without sanitization, enabling JavaScript injection via attribute value breakout (e.g., `attribute_name='value' onmouseover='alert(1)'`). Attackers with WordPress contributor, author, or administrator privileges can embed malicious shortcodes in posts or pages. When rendered, the injected scripts execute in the context of the viewing user's browser session, potentially enabling session hijacking, credential theft, or administrative action abuse.

Defensive priority

medium

Recommended defensive actions

• Update the Animate Your Content plugin to a version beyond 1.0.0 if available, or remove the plugin if no patch is released.
• Review existing posts and pages for unauthorized use of the [animation-set] shortcode, particularly those authored by contributor-level users or higher.
• Implement Content Security Policy (CSP) headers to mitigate impact of any unpatched stored XSS vulnerabilities.
• Consider restricting contributor and author role capabilities using a capability management plugin until patching is confirmed.
• Enable WordPress automatic updates for plugins or establish a routine patch management cycle for WordPress installations.

Evidence notes

Vulnerability confirmed via Wordfence security advisory and WordPress plugin source code references. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as primary weakness. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Official resources