CVE-2026-8899

Vulnerability

The Auto Thumbnail plugin for WordPress (versions up to and including 1.0) contains a stored cross-site scripting vulnerability in the athn_thumbnails() function, which handles the [thumbnails] shortcode. The width and height attributes are concatenated directly into an HTML `` tag without proper input sanitization or output escaping [1][2]. This allows attackers to inject arbitrary HTML and JavaScript through these attributes.

Exploitation

An attacker must have at least contributor-level access to the WordPress site. They can create or edit a post or page and insert the [thumbnails] shortcode with a malicious payload in the width or height attribute (e.g., [thumbnails width="300" height="300 onmouseover=alert(1)"]). When any user views the affected page, the injected script executes in their browser.

Impact

Successful exploitation results in stored cross-site scripting, enabling the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to cookie theft, session hijacking, defacement, or redirection to malicious sites. The attack affects all users who visit the compromised page, regardless of their privilege level.

Mitigation

As of the publication date, no patched version of the Auto Thumbnail plugin has been released. Users should disable the plugin immediately until a security update is available. There is no known workaround. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.