CVE-2026-8847
Description
The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute without escaping in the dideo() shortcode handler. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Dideo WordPress plugin 1.0 suffers from stored XSS via the 'dideo' shortcode's 'id' attribute, allowing contributor-level attackers to inject arbitrary scripts.
Vulnerability
The Dideo plugin for WordPress, version 1.0, contains a stored cross-site scripting vulnerability in the dideo() shortcode handler. The id attribute from the shortcode is directly interpolated into an HTML iframe src attribute without proper sanitization or output escaping [1]. This allows injection of arbitrary HTML and JavaScript.
Exploitation
An attacker must have at least Contributor-level access to a WordPress site. They can insert the [dideo id="..."] shortcode into a post or page, where the id value contains a malicious payload such as " onload="alert(1)". When the shortcode is rendered, the unsanitized id is placed into the iframe src, resulting in script execution in the context of the victim's browser.
Impact
Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the browsers of users who view the affected page. This can result in session hijacking, defacement, or redirection to malicious sites. The attack is persistent and does not require user interaction beyond visiting the page.
Mitigation
As of the publication date (2026-05-27), no patched version has been released. The only mitigation is to disable the Dideo plugin or restrict contributor-level access to trusted users only. The plugin is not listed on the CISA KEV. Users should monitor the plugin repository for updates.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.