MEDIUM
gapgag55
CVE published 2026-05-27
CVE-2026-8899
A stored cross-site scripting (XSS) vulnerability in the Auto Thumbnail WordPress plugin allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts via the 'thumbnails' shortcode. The vulnerability exists in all versions up to and including 1.0 due to insufficient input sanitization and output escaping on the 'width' and 'height' attributes in the athn_thumbnail [truncated]