CVE-2026-8701
Description
The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the title-ticker-slide, title-ticker-fade, and title-ticker-typing shortcodes. This is due to insufficient input sanitization and output escaping on shortcode attributes (notably border, width, height, header_background, header_text_color, and id) within the gntt_title_ticker_slide(), gntt_title_ticker_fade(), and gntt_title_ticker_typing() functions. None of these attribute values are passed through esc_attr() or any other escaping function before being concatenated into HTML output. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in GNTT Post Title Ticker 1.0 via unescaped shortcode attributes allows contributor+ attackers to inject arbitrary scripts.
Vulnerability
The GNTT Post Title Ticker plugin for WordPress version 1.0 contains a stored cross-site scripting (XSS) vulnerability in three shortcodes: title-ticker-slide, title-ticker-fade, and title-ticker-typing. The plugin insufficiently sanitizes and escapes shortcode attributes such as border, width, height, header_background, header_text_color, and id before concatenating them into HTML output within the functions gntt_title_ticker_slide(), gntt_title_ticker_fade(), and gntt_title_ticker_typing() [1][2]. No escaping function like esc_attr() is applied, enabling an attacker to inject malicious HTML attributes or script content.
Exploitation
An authenticated attacker with at least contributor-level access can exploit this vulnerability by inserting a specially crafted shortcode into a post or page. The attacker controls one or more of the unsanitized attributes, like border="1px solid #ddd\" onfocus='alert(1)' autofocus="" or a similar payload that will break out of the attribute context. When a victim visits the affected page, the injected script executes in their browser [1][2]. The shortcode can also be used in widget areas because the plugin adds the do_shortcode filter to widget_text [1][2].
Impact
Successful exploitation allows the attacker to inject arbitrary web scripts that execute in the context of the victim's browser session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack is stored, so the injected payload persists and affects every user who accesses the compromised page [1][2].
Mitigation
As of the publication date (2026-05-27), no patched version of the GNTT Post Title Ticker plugin has been released [1][2]. The vendor should apply proper input sanitization and output escaping (e.g., esc_attr()) to all shortcode attributes in the three affected functions. Until a fix is available, users should restrict contributor-level access to trusted individuals and consider disabling the plugin if it is not essential. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 1.0+ 1 more
- (no CPE)range: = 1.0
- (no CPE)range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.