CVE-2026-8842
Description
The Google+ Link Name plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gplusnamelink' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes ('id' and 'name') in the gplusnamelink_generate() function, which are concatenated directly into the rendered HTML without calling esc_attr() or esc_html(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in WordPress Google+ Link Name plugin <= 1.0 allows contributor-level attackers to inject arbitrary scripts via 'id' and 'name' shortcode attributes.
Vulnerability
The Google+ Link Name plugin for WordPress versions up to and including 1.0 is vulnerable to Stored Cross-Site Scripting (XSS) in the gplusnamelink_generate() function, which is registered via the [gplusnamelink] shortcode. The function accepts id and name attributes from the shortcode and concatenates them directly into an ` tag's href and inner content without proper sanitization or output escaping — specifically, it fails to call esc_attr() or esc_html()` on the user-supplied values [1][2]. This allows an attacker who can create or edit posts (e.g., contributor-level or higher) to inject malicious HTML and JavaScript.
Exploitation
An authenticated attacker with at least contributor-level access can create a new post or edit an existing one and insert the [gplusnamelink] shortcode with specially crafted values for the id or name attributes. For example, setting name to `` will cause the unsanitized string to be echoed directly into the page HTML. Since the shortcode is processed on page render, the injected script will execute in the browser of any user who views the affected page. No other special network position or user interaction beyond viewing the page is required [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session theft, credential harvesting, redirection to malicious sites, or defacement. The attacker does not gain direct server-side control but can compromise the integrity and confidentiality of interactions with the WordPress site for any user visiting the infected page [1][2].
Mitigation
As of the publication date (2026-05-27), no fixed version of the Google+ Link Name plugin has been released. The plugin appears to be abandoned (last updated in 2012) and is no longer maintained on the WordPress plugin repository. The recommended mitigation is to immediately remove and deactivate the plugin, as no workaround exists that preserves functionality. Site administrators should also review and remove any pages or posts containing the vulnerable shortcode. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at this time [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <= 1.0
- Range: <=1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.