MEDIUM
eldougo
CVE published 2026-05-27
CVE-2026-8846
A stored cross-site scripting (XSS) vulnerability exists in the Tuxquote WordPress plugin, affecting versions up to and including 1.3. The flaw resides in the `tuxquote_build_format()` function, which fails to sanitize or escape user-supplied attributes (`title`, `align`, `width`) before rendering them in HTML output. Authenticated attackers with Contributor-level privileges or higher can inject arbitrary [truncated]