CVE-2026-8038 mcinvale CVE debrief

Who should care

WordPress site administrators, security teams managing WordPress installations, and organizations with Contributor or Author role users who may have access to content editing capabilities.

Technical summary

The Faces of Users plugin registers a shortcode handler that directly outputs user-supplied input from the 'default' attribute without sanitization or escaping. The vulnerable code path is located at line 62 in faces-of.php. An attacker with Contributor privileges can craft a post or page containing the shortcode with a malicious payload in the default attribute (e.g., [facesofusers default='...']). When the post is published and viewed, the payload executes in the browser context of any visitor. The vulnerability affects all versions up to and including 0.0.3; no patched version exists as of the disclosure date.

Defensive priority

medium

Recommended defensive actions

• Audit WordPress installations for the Faces of Users plugin; remove or disable if present until a patched version is released.
• Implement Content Security Policy (CSP) headers to mitigate impact of potential XSS payloads.
• Restrict Contributor and Author role assignments to trusted users only; consider using role management plugins to disable unfiltered_html capability where feasible.
• Monitor for unexpected shortcode usage in post_content and postmeta database tables.
• Subscribe to Wordfence threat intelligence or plugin security advisories for patch availability notifications.

Evidence notes

Vulnerability confirmed via Wordfence advisory and WordPress plugin repository source code review. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as primary weakness. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Official resources