CVE-2026-8898 ruchit47 CVE debrief

Who should care

WordPress site administrators using the Events In City plugin; security teams monitoring plugin vulnerabilities; developers maintaining WordPress shortcode implementations

Technical summary

The org_event_scode() function in the Events In City WordPress plugin (≤3.0) fails to sanitize or escape user-supplied shortcode attributes before concatenating them into HTML output. Multiple attributes (organizer_id, width, height, transparency, header, border, layout) are affected. The missing esc_attr() calls allow JavaScript injection through attribute value manipulation. Attackers with contributor or higher privileges can embed malicious shortcodes in posts/pages, achieving persistent script execution in victim browsers.

Defensive priority

medium

Recommended defensive actions

• Update the Events In City WordPress plugin to a version newer than 3.0 if available
• If no patch is available, disable the plugin or restrict contributor-level access until remediation
• Review existing posts and pages for suspicious org-events shortcode usage
• Implement Content Security Policy (CSP) headers to mitigate XSS impact
• Enable WordPress auto-updates for plugins where feasible
• Conduct security review of custom shortcode implementations for similar patterns

Evidence notes

The vulnerability is confirmed through source code analysis showing direct attribute concatenation at lines 144 and 156 of ae_org_widget.php in version 3.0 of the plugin. The CWE-79 classification and CVSS:3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) are provided by Wordfence.

Official resources