MEDIUM
thomstark
CVE published 2026-05-27
CVE-2026-8871
A stored cross-site scripting (XSS) vulnerability in the Formidable Kinetic WordPress plugin allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts via the 'kinetic_link' shortcode. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode attributes—specifically 'window', 'class', and 'label'—which are conca [truncated]