PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8847 mshomali CVE debrief

A stored cross-site scripting (XSS) vulnerability exists in the Dideo WordPress plugin version 1.0. The flaw resides in the plugin's 'dideo' shortcode handler, where the 'id' attribute is interpolated directly into an HTML iframe 'src' attribute without proper input sanitization or output escaping. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts that execute when users access injected pages. The vulnerability was disclosed on 2026-05-27 with a CVSS 3.1 score of 6.4 (Medium severity). The issue is tracked as CWE-79 (Improper Neutralization of Input During Web Page Generation).

Vendor
mshomali
Product
Dideo
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using the Dideo plugin; security teams managing WordPress content management systems; developers maintaining WordPress plugins with shortcode functionality

Technical summary

The Dideo plugin for WordPress (version 1.0) contains a stored cross-site scripting vulnerability in its 'dideo' shortcode implementation. The 'id' shortcode attribute is passed unsanitized into an iframe src attribute, enabling script injection by authenticated contributors. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N reflects network attack vector, low attack complexity, low privileges required, no user interaction, changed scope, and low impacts to confidentiality and integrity.

Defensive priority

medium

Recommended defensive actions

  • Update the Dideo plugin to a patched version when available, or remove the plugin if no patch is forthcoming
  • Review and restrict contributor-level user permissions to reduce attack surface
  • Implement Content Security Policy (CSP) headers to mitigate impact of XSS payloads
  • Audit existing posts and pages for suspicious [dideo] shortcode usage, particularly those with malformed or unexpected 'id' attribute values
  • Consider using WordPress security plugins that provide shortcode input validation and output escaping hardening
  • resourceLinkAnnotations: [ref-4, ref-5, ref-6]

Evidence notes

Vulnerability confirmed via Wordfence security advisory and WordPress plugin repository source code review. The affected code paths are identified at lines 13 and 17 of dideo.php in the wp-dideo plugin trunk.

Official resources

2026-05-27