VYPR
← All advisories
Medium severity6.4NVD Advisory· Published May 27, 2026

CVE-2026-8702

CVE-2026-8702

Description

The GBI To Print plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the 'div' attribute of the 'gbitoprint' shortcode. This is due to insufficient output escaping in the gbi_toprint_shortcode() function, which concatenates the raw shortcode attribute value directly into an HTML attribute without applying esc_attr() or any other sanitization. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in GBI To Print WordPress plugin v1.0 via unsanitized 'div' shortcode attribute allows contributor-level users to inject scripts.

Vulnerability

The GBI To Print plugin version 1.0 for WordPress contains a stored cross-site scripting vulnerability in the gbi_toprint_shortcode() function. The div attribute of the [gbitoprint] shortcode is directly concatenated into an HTML attribute without escaping via esc_attr() or similar sanitization. This allows injection of arbitrary HTML and JavaScript. The vulnerable code is in /trunk/gbitoprint.php [1].

Exploitation

An authenticated attacker with at least contributor-level access can create or edit a post or page and insert the [gbitoprint] shortcode with a malicious div attribute containing JavaScript payloads. When any user accesses the injected page, the script executes.

Impact

Successful exploitation leads to stored cross-site scripting, allowing the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can result in session hijacking, defacement, or redirection to malicious sites.

Mitigation

As of the publication date (2026-05-27), no fixed version has been released. Users should disable the plugin until a patch is available. The plugin is not listed on CISA's Known Exploited Vulnerabilities catalog.

References
  1. https://plugins.trac.wordpress.org/browser/gbi-to-print/trunk/gbitoprint.php#L86

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.