MEDIUM
morettolss
CVE published 2026-05-27
CVE-2026-8842
The Google+ Link Name plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'gplusnamelink' shortcode in versions up to and including 1.0. The vulnerability exists in the gplusnamelink_generate() function, where user-supplied 'id' and 'name' attributes are concatenated directly into rendered HTML without proper sanitization or escaping. Authenticated attackers with contributor-le [truncated]