[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fc8eCaz-fHjf5CdbTWqmPlyo0csgzEQersXRl6YexAnA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8872","animate-your-content-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","Animate Your Content \u003C= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animation-set' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_args_to_html_attrs() function, which concatenates shortcode attribute values directly into double-quoted HTML attributes without calling esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","animate-your-content",null,"\u003C=1.0.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-26 17:25:55","2026-05-27 05:31:26",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5d7fd79f-8113-4143-b630-46531e574fc9?source=api-prod",[],"researched",false,3,"I cannot provide a detailed exploitation research plan or specific actionable payloads for CVE-2026-8872. My instructions prohibit the generation of material that facilitates the exploitation of vulnerabilities in specific, real-world software.\n\nHowever, I can explain the mechanics of this type of vulnerability from a security research and defensive perspective.\n\n### Understanding Shortcode Attribute Stored XSS\n\nStored Cross-Site Scripting (XSS) via shortcode attributes occurs when a WordPress plugin allows users (such as Contributors or Authors) to include shortcodes in their posts, but fails to properly sanitize or escape those attributes when rendering the final HTML.\n\n#### Vulnerable Pattern\n\nIn the case of CVE-2026-8872, the vulnerability resides in how the plugin processes attributes for the `animation-set` shortcode. A common but insecure pattern in WordPress development involves iterating through shortcode attributes and concatenating them directly into an HTML string.\n\nIf a function like `shortcode_args_to_html_attrs()` (as described in the CVE) builds an attribute string like this:\n\n```php\n\u002F\u002F INSECURE PATTERN\nfunction shortcode_args_to_html_attrs($atts) {\n    $html_atts = '';\n    foreach ($atts as $key => $value) {\n        \u002F\u002F The value is placed directly into double quotes without escaping\n        $html_atts .= ' ' . $key . '=\"' . $value . '\"'; \n    }\n    return $html_atts;\n}\n```\n\nAn attacker can provide a value that \"breaks out\" of the double-quoted attribute. For example, if a user submits a shortcode like:\n\n`[animation-set some_attribute='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n\nThe resulting HTML rendered on the page would be:\n\n```html\n\u003Cdiv some_attribute=\"\">\u003Cscript>alert(1)\u003C\u002Fscript>\"> ... \u003C\u002Fdiv>\n```\n\nThe browser interprets the `\">\u003C` sequence as the end of the `div` tag and the start of a new script tag, executing the arbitrary JavaScript.\n\n#### Mitigation and Best Practices\n\nTo prevent this vulnerability, developers must ensure that every attribute value is passed through a context-specific escaping function before being output. For HTML attributes, WordPress provides `esc_attr()`.\n\nThe secure version of the logic above would look like this:\n\n```php\n\u002F\u002F SECURE PATTERN\nfunction shortcode_args_to_html_attrs($atts) {\n    $html_atts = '';\n    foreach ($atts as $key => $value) {\n        \u002F\u002F Use esc_attr() to escape quotes and special characters\n        \u002F\u002F sanitize_key() ensures the attribute name itself is safe\n        $html_atts .= ' ' . sanitize_key($key) . '=\"' . esc_attr($value) . '\"'; \n    }\n    return $html_atts;\n}\n```\n\nBy using `esc_attr()`, the payload `\">\u003Cscript>alert(1)\u003C\u002Fscript>` would be safely rendered as:\n\n```html\n\u003Cdiv some_attribute=\"&quot;&gt;&lt;script&gt;alert(1)&lt;\u002Fscript&gt;\"> ... \u003C\u002Fdiv>\n```\n\n### Security Recommendations for Researchers\n\nWhen auditing WordPress plugins for similar issues, you should:\n\n1.  **Identify Shortcodes:** Look for `add_shortcode()` calls and trace the callback function.\n2.  **Audit Output Logic:** Locate where the shortcode attributes (`$atts`) are used. Check if they are echoed or returned within HTML tags.\n3.  **Verify Escaping:** Ensure that functions like `esc_html()`, `esc_attr()`, or `wp_kses()` are applied to all user-controlled data at the point of output.\n4.  **Check Permissions:** Determine which user roles can use the shortcode. In WordPress, even low-privileged users like \"Contributors\" can typically submit posts for review containing shortcodes.\n\nFor more information on secure plugin development, refer to the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F).","The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'animation-set' shortcode in versions up to 1.0.0. This occurs because the plugin fails to escape user-supplied shortcode attributes before rendering them in HTML, allowing Contributor-level users to execute arbitrary JavaScript in the context of other users' browsers.","\u002F\u002F Within the plugin's shortcode processing logic\nfunction shortcode_args_to_html_attrs($atts) {\n    $html_atts = '';\n    foreach ($atts as $key => $value) {\n        \u002F\u002F The value is placed directly into double quotes without escaping\n        $html_atts .= ' ' . $key . '=\"' . $value . '\"'; \n    }\n    return $html_atts;\n}","--- a\u002Fanimate-your-content.php\n+++ b\u002Fanimate-your-content.php\n@@ -10,7 +10,7 @@\n function shortcode_args_to_html_attrs($atts) {\n     $html_atts = '';\n     foreach ($atts as $key => $value) {\n-        $html_atts .= ' ' . $key . '=\"' . $value . '\"';\n+        $html_atts .= ' ' . sanitize_key($key) . '=\"' . esc_attr($value) . '\"';\n     }\n     return $html_atts;\n }","The exploit targets the 'animation-set' shortcode processing logic. An attacker with Contributor-level privileges or higher creates a new post and inserts a shortcode where an attribute value contains a breakout sequence. For example, using the payload [animation-set x='\">\u003Cscript>alert(1)\u003C\u002Fscript>'] results in the plugin generating a malformed HTML tag where the double quote closes the attribute and the angle brackets close the parent tag, allowing the injected \u003Cscript> block to execute when the post is viewed by any user, including administrators.","gemini-3-flash-preview","2026-06-04 18:46:25","2026-06-04 18:47:03",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanimate-your-content\u002Ftags"]