VYPR
← All advisories
Medium severity6.4NVD Advisory· Published May 27, 2026

CVE-2026-8886

CVE-2026-8886

Description

The hk_shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title-plane' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the huankong_post_short_title_plane() function, where the 'title' attribute is concatenated directly into HTML output without any escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS vulnerability in hk_shortcode WordPress plugin up to v1.0 allows contributor-level attackers to inject arbitrary scripts via the 'title-plane' shortcode.

Vulnerability

The hk_shortcode plugin for WordPress versions up to and including 1.0 contains a stored cross-site scripting (XSS) vulnerability in the huankong_post_short_title_plane() function, which handles the title-plane shortcode. The title attribute is directly concatenated into HTML output without proper sanitization or escaping [1][2]. This allows injection of arbitrary HTML and JavaScript.

Exploitation

An attacker must have at least Contributor-level access to a WordPress site using the vulnerable plugin. The attacker can create or edit a post/page and insert the [title-plane title=""] shortcode with a malicious payload in the title attribute. When any user views the page, the injected script executes in their browser.

Impact

Successful exploitation results in stored cross-site scripting, enabling the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or redirection to malicious sites. The attack requires no user interaction beyond viewing the affected page.

Mitigation

As of the publication date (2026-05-27), no patched version has been released. The vendor has not responded. Users should disable the plugin or remove it from their WordPress installations until a fix is available. The plugin is not listed on the CISA KEV as of this writing.

References
  1. https://plugins.trac.wordpress.org/browser/hk-shortcode/tags/1.0/function/shortcode.php#L8
  2. https://plugins.trac.wordpress.org/browser/hk-shortcode/tags/1.0/function/shortcode.php#L6

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.