PatchSiren cyber security CVE debrief
CVE-2026-8897 vincentastolfi CVE debrief
## Summary Stored Cross-Site Scripting (XSS) vulnerability in the Shortcode Buddy WordPress plugin, affecting versions up to and including 0.1.9.5. The flaw stems from insufficient input sanitization and output escaping within shortcode attributes, allowing authenticated attackers with contributor-level privileges or higher to inject persistent JavaScript payloads. These payloads execute when any user accesses a compromised page. ## Technical Details - **Vulnerability Class:** Stored (Persistent) Cross-Site Scripting (CWE-79) - **Attack Vector:** Network-based, via crafted shortcode attributes - **Attack Complexity:** Low - **Privileges Required:** Low (Contributor+) - **User Interaction:** None required for payload execution (victim access to injected page triggers execution) - **Scope:** Changed (impact extends beyond vulnerable component to other page contexts) - **Impact:** Confidentiality and Integrity impacts rated Low; no direct Availability impact The vulnerability resides in the plugin's shortcode processing logic. Source code references indicate the affected functionality is located in `shortcodes/shortcodes.php` at lines 150 and 156, where user-supplied shortcode attributes are processed without adequate sanitization before output rendering. ## Affected Product - **Product:** Shortcode Buddy WordPress plugin - **Affected Versions:** All versions up to and including 0.1.9.5 - **Vendor Status:** Unknown (vendor identification marked low confidence, requires review) ## Exploitation Context - **Threat Actor Access:** Requires authenticated WordPress account with contributor, author, editor, or administrator role - **Exploitation Scenario:** Attacker with contributor privileges creates or edits a post/page, inserts a malicious shortcode with crafted attributes containing JavaScript payloads. When any site visitor (including administrators) views the injected page, the script executes in their browser context. - **KEV Status:** Not listed in CISA Known Exploited Vulnerabilities catalog ## Recommended Actions 1. **Immediate:** Update Shortcode Buddy plugin to version 0.2.0 or later if available; otherwise, consider temporary deactivation until patch is 2. **
- Vendor
- vincentastolfi
- Product
- Shortcode Buddy
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
WordPress site administrators using Shortcode Buddy plugin; security teams managing WordPress installations with contributor-level user access; developers maintaining WordPress plugins with shortcode functionality.
Technical summary
Insufficient sanitization in shortcode attribute processing allows persistent JavaScript injection. Payloads execute on page load for all viewers. Affects lines 150 and 156 in shortcodes/shortcodes.php.
Defensive priority
medium
Recommended defensive actions
- Update Shortcode Buddy plugin to version 0.2.0 or later if available
- Temporarily deactivate plugin if update unavailable
- Audit existing posts/pages for suspicious shortcode usage
- Implement Content Security Policy headers to mitigate XSS impact
- Review user roles and restrict contributor access where unnecessary
- Enable WordPress automatic plugin updates for security releases
Evidence notes
Vulnerability disclosed via Wordfence security advisory. Source code references to plugins.trac.wordpress.org confirm affected file paths. CVSS 3.1 vector and scoring derived from NVD record. Vendor identification flagged as low confidence due to 'Unknown Vendor' classification in source data.
Official resources
2026-05-27