PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8844 kevin1804 CVE debrief

A stored cross-site scripting (XSS) vulnerability in the Responsive Check WordPress plugin allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts via the 'rspcheck' shortcode. The flaw exists in versions up to and including 0.0.3 due to insufficient input sanitization and output escaping on the 'url' and 'button' shortcode attributes within the rspc_check_shortcode() function. These attributes are echoed directly into iframe src attributes without proper escaping functions such as esc_attr() or esc_url(). When a page containing the malicious shortcode is accessed, the injected scripts execute in the context of the victim's browser. The vulnerability was published on May 27, 2026, and carries a CVSS 3.1 score of 6.4 (Medium severity). No known exploitation in ransomware campaigns has been documented.

Vendor
kevin1804
Product
Responsive Check
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using the Responsive Check plugin; security teams managing WordPress content management systems; developers maintaining WordPress plugins with shortcode functionality; organizations with contributor-level user access on public-facing WordPress installations

Technical summary

The Responsive Check plugin for WordPress (versions ≤0.0.3) contains a stored XSS vulnerability in the rspc_check_shortcode() function. The 'url' and 'button' shortcode attributes are rendered into iframe src attributes without proper escaping, allowing script injection by authenticated contributors. The vulnerability is classified as CWE-79 with CVSS 3.1 score 6.4 (Medium). Attack vector is network-based with low attack complexity, requiring low privileges and no user interaction. Scope is changed due to iframe sandboxing implications.

Defensive priority

medium

Recommended defensive actions

  • Update the Responsive Check WordPress plugin to a version newer than 0.0.3 if available, or remove the plugin if updates are not forthcoming
  • Review existing posts and pages for unauthorized use of the rspcheck shortcode, particularly those created by contributor-level users or higher
  • Implement output escaping using esc_attr() and esc_url() for all shortcode attributes that render in HTML contexts, especially iframe src attributes
  • Apply the principle of least privilege by restricting contributor and author roles where possible, and audit user capabilities regularly
  • Consider implementing Content Security Policy (CSP) headers to mitigate the impact of any successful XSS injection
  • Enable WordPress automatic updates for plugins or establish a regular patch management cycle to address future vulnerabilities promptly

Evidence notes

Vulnerability confirmed via Wordfence security advisory and WordPress plugin repository source code analysis. Specific vulnerable code locations identified at lines 14, 25, and 54 of responsive-check.php. CWE-79 (Improper Neutralization of Input During Web Page Generation) classified as primary weakness.

Official resources

public