CVE-2026-8877

Vulnerability

The Responsive Video Embedder plugin for WordPress versions up to and including 0.1 contains a stored cross-site scripting vulnerability in the video_shortcode() function [1][2]. The rem_video shortcode accepts user-supplied attributes id and list which are concatenated directly into an HTML iframe's src attribute without proper input sanitization or output escaping. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts.

Exploitation

An attacker with contributor-level privileges or above can create or edit a post or page and insert the [rem_video] shortcode with a malicious payload in the id or list attribute. For example, [rem_video id="\" onload=\"alert(1)\" would inject a script. When any user visits the affected page, the injected script executes in the context of the victim's browser.

Impact

Successful exploitation results in stored cross-site scripting (XSS), allowing the attacker to execute arbitrary JavaScript in the browsers of users who view the compromised page. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack is persistent and affects all visitors, not just the attacker.

Mitigation

As of the publication date, no patched version of the Responsive Video Embedder plugin has been released. The only mitigation is to disable the plugin or restrict contributor-level and higher roles from using shortcodes until a fix is available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.