MEDIUM
mshomali
CVE published 2026-05-27
CVE-2026-8847
A stored cross-site scripting (XSS) vulnerability exists in the Dideo WordPress plugin version 1.0. The flaw resides in the plugin's 'dideo' shortcode handler, where the 'id' attribute is interpolated directly into an HTML iframe 'src' attribute without proper input sanitization or output escaping. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts [truncated]