CVE-2026-8842 morettolss CVE debrief

Who should care

WordPress site administrators using the Google+ Link Name plugin; security teams monitoring WordPress plugin vulnerabilities; organizations with contributor-level user accounts on WordPress installations

Technical summary

The gplusnamelink_generate() function in the Google+ Link Name WordPress plugin fails to sanitize or escape the 'id' and 'name' shortcode attributes before outputting them in HTML. This allows authenticated users with contributor privileges to inject malicious JavaScript via [gplusnamelink id='...' name='...'] shortcodes. The injected scripts execute in the context of users viewing the affected pages, enabling session hijacking, credential theft, or administrative action forgery.

Defensive priority

medium

Recommended defensive actions

• Update Google+ Link Name plugin to version 1.0.1 or later if available; otherwise, consider disabling or removing the plugin
• Review existing posts and pages for unauthorized [gplusnamelink] shortcode usage, particularly from contributor-level accounts
• Implement Content Security Policy (CSP) headers to mitigate impact of any injected scripts
• Consider restricting contributor-level permissions if shortcode usage is not required
• Monitor web application logs for suspicious shortcode submissions containing script tags or event handlers

Evidence notes

Vulnerability confirmed via WordPress plugin source code analysis showing direct attribute concatenation at lines 15 and 19 of gplusnamelink.php without esc_attr() or esc_html() calls. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as primary weakness.

Official resources