MEDIUM
huankong
CVE published 2026-05-27
CVE-2026-8886
A stored cross-site scripting (XSS) vulnerability exists in the hk_shortcode WordPress plugin, affecting versions up to and including 1.0. The vulnerability resides in the huankong_post_short_title_plane() function, where the 'title' attribute of the 'title-plane' shortcode is concatenated directly into HTML output without proper sanitization or escaping. This allows authenticated attackers with contribut [truncated]