CVE-2026-8897

Vulnerability

The Shortcode Buddy plugin for WordPress versions up to and including 0.1.9.5 fails to properly sanitize and escape shortcode attributes, leading to a stored cross-site scripting vulnerability. The issue resides in the handling of shortcode attributes in the plugin's shortcode functions (see [1], [2]). Authenticated users with contributor-level access or higher can inject malicious scripts via shortcode attributes that are later executed when any user views the affected page.

Exploitation

An attacker must have a WordPress account with at least contributor-level permissions. The attacker can create or edit a post or page and insert a shortcode provided by the Shortcode Buddy plugin, supplying a crafted attribute containing a JavaScript payload. The plugin does not sanitize the attribute input, so the payload is stored in the database. When the page is rendered, the payload executes in the context of the victim's browser.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browsers of users who visit the compromised page. This can lead to session hijacking, defacement, or theft of sensitive information. The attack is stored, meaning the malicious script persists until the content is removed or patched.

Mitigation

The vendor has not released a patched version as of the publication date (2026-05-27). Users should disable the Shortcode Buddy plugin until a fix is available. Alternatively, restrict contributor-level access to trusted users only. No workaround is provided in the available references.