CVE-2026-8872
Description
The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animation-set' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_args_to_html_attrs() function, which concatenates shortcode attribute values directly into double-quoted HTML attributes without calling esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Animate Your Content plugin for WordPress allows authenticated contributors to inject arbitrary scripts via the 'animation-set' shortcode.
Vulnerability
The Animate Your Content plugin for WordPress versions up to and including 1.0.0 contains a stored cross-site scripting vulnerability in the animation-set shortcode. The shortcode_args_to_html_attrs() function concatenates user-supplied shortcode attribute values directly into double-quoted HTML attributes without calling esc_attr(), leading to insufficient input sanitization and output escaping [1].
Exploitation
An authenticated attacker with contributor-level access or above can insert the animation-set shortcode with malicious attribute values. When the shortcode is rendered, the unsanitized attributes are injected into the HTML, allowing arbitrary JavaScript to be stored and executed in the context of any user visiting the affected page.
Impact
Successful exploitation enables stored cross-site scripting (XSS), allowing the attacker to execute arbitrary web scripts in the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites, compromising the confidentiality and integrity of the WordPress site.
Mitigation
As of the publication date, no patched version has been released. Users are advised to disable the plugin or restrict contributor-level access until a fix is available. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.0.0+ 1 more
- (no CPE)range: <=1.0.0
- (no CPE)range: <=1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/animate-your-content/trunk/plugin.phpnvd
- plugins.trac.wordpress.org/browser/animate-your-content/trunk/plugin.phpnvd
- plugins.trac.wordpress.org/browser/animate-your-content/trunk/plugin.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/5d7fd79f-8113-4143-b630-46531e574fc9nvd
News mentions
0No linked articles in our index yet.