PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8887 konforti CVE debrief

The Listen Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 1.0. The vulnerability exists in the `listenEmbedJS()` function, where user-supplied attributes (`src`, `start`, `end`) are echoed inside single-quoted HTML attributes without proper sanitization or output escaping. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts that execute when users access injected pages. The vulnerability was disclosed on 2026-05-27 and has been assigned a CVSS 3.1 score of 6.4 (Medium severity). The issue is tracked as CWE-79 (Improper Neutralization of Input During Web Page Generation).

Vendor
konforti
Product
Listen Shortcode
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using the Listen Shortcode plugin; security teams monitoring WordPress plugin vulnerabilities; developers responsible for plugin security updates

Technical summary

The vulnerability stems from insufficient input sanitization and output escaping in the `listenEmbedJS()` function of the Listen Shortcode WordPress plugin. User-supplied attributes (`src`, `start`, `end`) are directly echoed into single-quoted HTML attributes without escaping, enabling stored XSS. Attackers with contributor+ privileges can craft malicious shortcodes that persist in posts/pages and execute in victims' browsers. The attack requires no user interaction beyond viewing the injected page, with network-based attack vector and low attack complexity.

Defensive priority

medium

Recommended defensive actions

  • Update the Listen Shortcode WordPress plugin to a version newer than 1.0 if available, or remove the plugin if no patch is released
  • Review existing posts and pages for malicious [listen] shortcode usage, particularly checking the src, start, and end attributes for suspicious JavaScript payloads
  • Implement Content Security Policy (CSP) headers to mitigate impact of any stored XSS payloads
  • Consider disabling unfiltered_html capability for contributor-level users if not required for business operations
  • Monitor web access logs for unusual requests to pages containing [listen] shortcodes

Evidence notes

Vulnerability confirmed via WordPress plugin repository source code review (lines 22 and 43 of heganoo-shortcode.php) and Wordfence threat intelligence. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Official resources

2026-05-27