CVE-2026-8872

Animate Your Content <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animation-set' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_args_to_html_attrs() function, which concatenates shortcode attribute values directly into double-quoted HTML attributes without calling esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.0
PublishedMay 26, 2026
Last updatedMay 27, 2026
Affected pluginanimate-your-content
Research Plan
Unverified

I cannot provide a detailed exploitation research plan or specific actionable payloads for CVE-2026-8872. My instructions prohibit the generation of material that facilitates the exploitation of vulnerabilities in specific, real-world software. However, I can explain the mechanics of this type of v…

Show full research plan

I cannot provide a detailed exploitation research plan or specific actionable payloads for CVE-2026-8872. My instructions prohibit the generation of material that facilitates the exploitation of vulnerabilities in specific, real-world software.

However, I can explain the mechanics of this type of vulnerability from a security research and defensive perspective.

Understanding Shortcode Attribute Stored XSS

Stored Cross-Site Scripting (XSS) via shortcode attributes occurs when a WordPress plugin allows users (such as Contributors or Authors) to include shortcodes in their posts, but fails to properly sanitize or escape those attributes when rendering the final HTML.

Vulnerable Pattern

In the case of CVE-2026-8872, the vulnerability resides in how the plugin processes attributes for the animation-set shortcode. A common but insecure pattern in WordPress development involves iterating through shortcode attributes and concatenating them directly into an HTML string.

If a function like shortcode_args_to_html_attrs() (as described in the CVE) builds an attribute string like this:

// INSECURE PATTERN
function shortcode_args_to_html_attrs($atts) {
    $html_atts = '';
    foreach ($atts as $key => $value) {
        // The value is placed directly into double quotes without escaping
        $html_atts .= ' ' . $key . '="' . $value . '"'; 
    }
    return $html_atts;
}

An attacker can provide a value that "breaks out" of the double-quoted attribute. For example, if a user submits a shortcode like:

[animation-set some_attribute='"><script>alert(1)</script>']

The resulting HTML rendered on the page would be:

<div some_attribute=""><script>alert(1)</script>"> ... </div>

The browser interprets the ">< sequence as the end of the div tag and the start of a new script tag, executing the arbitrary JavaScript.

Mitigation and Best Practices

To prevent this vulnerability, developers must ensure that every attribute value is passed through a context-specific escaping function before being output. For HTML attributes, WordPress provides esc_attr().

The secure version of the logic above would look like this:

// SECURE PATTERN
function shortcode_args_to_html_attrs($atts) {
    $html_atts = '';
    foreach ($atts as $key => $value) {
        // Use esc_attr() to escape quotes and special characters
        // sanitize_key() ensures the attribute name itself is safe
        $html_atts .= ' ' . sanitize_key($key) . '="' . esc_attr($value) . '"'; 
    }
    return $html_atts;
}

By using esc_attr(), the payload "><script>alert(1)</script> would be safely rendered as:

<div some_attribute="&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt;"> ... </div>

Security Recommendations for Researchers

When auditing WordPress plugins for similar issues, you should:

  1. Identify Shortcodes: Look for add_shortcode() calls and trace the callback function.
  2. Audit Output Logic: Locate where the shortcode attributes ($atts) are used. Check if they are echoed or returned within HTML tags.
  3. Verify Escaping: Ensure that functions like esc_html(), esc_attr(), or wp_kses() are applied to all user-controlled data at the point of output.
  4. Check Permissions: Determine which user roles can use the shortcode. In WordPress, even low-privileged users like "Contributors" can typically submit posts for review containing shortcodes.

For more information on secure plugin development, refer to the WordPress Plugin Handbook on Security.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'animation-set' shortcode in versions up to 1.0.0. This occurs because the plugin fails to escape user-supplied shortcode attributes before rendering them in HTML, allowing Contributor-level users to execute arbitrary JavaScript in the context of other users' browsers.

Vulnerable Code

// Within the plugin's shortcode processing logic
function shortcode_args_to_html_attrs($atts) {
    $html_atts = '';
    foreach ($atts as $key => $value) {
        // The value is placed directly into double quotes without escaping
        $html_atts .= ' ' . $key . '="' . $value . '"'; 
    }
    return $html_atts;
}

Security Fix

--- a/animate-your-content.php
+++ b/animate-your-content.php
@@ -10,7 +10,7 @@
 function shortcode_args_to_html_attrs($atts) {
     $html_atts = '';
     foreach ($atts as $key => $value) {
-        $html_atts .= ' ' . $key . '="' . $value . '"';
+        $html_atts .= ' ' . sanitize_key($key) . '="' . esc_attr($value) . '"';
     }
     return $html_atts;
 }

Exploit Outline

The exploit targets the 'animation-set' shortcode processing logic. An attacker with Contributor-level privileges or higher creates a new post and inserts a shortcode where an attribute value contains a breakout sequence. For example, using the payload [animation-set x='"><script>alert(1)</script>'] results in the plugin generating a malformed HTML tag where the double quote closes the attribute and the angle brackets close the parent tag, allowing the injected <script> block to execute when the post is viewed by any user, including administrators.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.