MEDIUM
konforti
CVE published 2026-05-27
CVE-2026-8887
The Listen Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 1.0. The vulnerability exists in the `listenEmbedJS()` function, where user-supplied attributes (`src`, `start`, `end`) are echoed inside single-quoted HTML attributes without proper sanitization or output escaping. This allows authenticated attackers with contributor-level access o [truncated]