PatchSiren cyber security CVE debrief
CVE-2026-8871 thomstark CVE debrief
A stored cross-site scripting (XSS) vulnerability in the Formidable Kinetic WordPress plugin allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts via the 'kinetic_link' shortcode. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode attributes—specifically 'window', 'class', and 'label'—which are concatenated directly into HTML anchor tag attributes in the FrmKinetic::link() function. Affected versions include 1.1.01 and earlier. The vulnerability was published on May 27, 2026, and carries a CVSS 3.1 score of 6.4 (Medium severity). The attack vector is network-based, requires low attack complexity and low privileges, needs no user interaction, and can affect changed scope with low impacts on confidentiality and integrity.
- Vendor
- thomstark
- Product
- Formidable Kinetic
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
WordPress site administrators using Formidable Kinetic plugin; security teams managing WordPress content management systems; developers maintaining plugins with shortcode functionality
Technical summary
The Formidable Kinetic plugin registers a 'kinetic_link' shortcode that renders anchor tags. The FrmKinetic::link() method extracts shortcode attributes including 'window', 'class', and 'label' without adequate sanitization or escaping before direct concatenation into HTML output. This allows authenticated users with contributor or higher privileges to inject JavaScript payloads through these attributes, which execute when any user views the injected page. The vulnerability affects plugin versions up to and including 1.1.01.
Defensive priority
medium
Recommended defensive actions
- Update Formidable Kinetic plugin to a version newer than 1.1.01 if available
- Review and restrict contributor-level and above user permissions until patching
- Implement Content Security Policy (CSP) headers to mitigate XSS impact
- Audit existing posts and pages for suspicious kinetic_link shortcode usage
- Consider Web Application Firewall (WAF) rules to filter malicious shortcode attributes
Evidence notes
The vulnerability is confirmed through Wordfence security research with source code references to the affected FrmKinetic::link() function at lines 34 and 70 of formidable-kinetic.php. The weakness is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation).
Official resources
The vulnerability was disclosed on May 27, 2026, with official CVE publication and NVD entry on the same date. No known exploitation in the wild or CISA KEV listing has been reported.