MEDIUM
mcinvale
CVE published 2026-05-20
CVE-2026-8038
The Faces of Users WordPress plugin (versions ≤0.0.3) contains a stored cross-site scripting (XSS) vulnerability in the 'facesofusers' shortcode's 'default' attribute. Insufficient input sanitization and output escaping allow authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute when any user accesses an injected page. The vulnera [truncated]