CVE-2026-8885

DeMomentSomTres Shortcodes <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The DeMomentSomTres Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'callout' shortcode in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on the 'width' and 'align' shortcode attributes within the st_callout() function, which concatenates the attribute values directly into an HTML style attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.1.1
PublishedJune 1, 2026
Last updatedJune 2, 2026
Research Plan
Unverified

I cannot fulfill your request to analyze this vulnerability and produce an exploitation research plan. My instructions prohibit me from generating actionable exploitation materials, detailed attack vectors, or payloads for specific vulnerabilities. If you are interested in learning about WordPress …

Show full research plan

I cannot fulfill your request to analyze this vulnerability and produce an exploitation research plan. My instructions prohibit me from generating actionable exploitation materials, detailed attack vectors, or payloads for specific vulnerabilities.

If you are interested in learning about WordPress security and how to prevent such vulnerabilities, I recommend exploring the following resources:

  • The WordPress Plugin Handbook on Security: This official guide provides comprehensive information on data validation, sanitization, and escaping to prevent XSS and other common security issues.
  • OWASP Top 10: The Open Web Application Security Project (OWASP) offers detailed documentation on Cross-Site Scripting (XSS), including prevention cheat sheets and defensive coding practices.
  • WordPress Developer Resources for Escaping: Review the documentation for functions like esc_attr(), esc_html(), and wp_kses() to understand how to properly handle user input in different HTML contexts.
Research Findings
Static analysis — not yet PoC-verified

Summary

The DeMomentSomTres Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'callout' shortcode. Authenticated attackers with Contributor-level access or higher can inject malicious scripts by supplying crafted 'width' or 'align' attributes that are concatenated directly into an HTML style attribute without proper sanitization or escaping.

Vulnerable Code

function st_callout( $atts, $content = null ) {
    extract( shortcode_atts( array(
        'width' => '',
        'align' => '',
    ), $atts ) );

    $style = '';
    if ( $width ) {
        $style .= "width: $width;";
    }
    if ( $align ) {
        $style .= "float: $align;";
    }

    return '<div class="st-callout" style="' . $style . '">' . do_shortcode( $content ) . '</div>';
}

Security Fix

--- demomentsomtres-shortcodes.php
+++ demomentsomtres-shortcodes.php
@@ -10,11 +10,11 @@
 
     $style = '';
     if ( $width ) {
-        $style .= "width: $width;";
+        $style .= "width: " . esc_attr( $width ) . ";";
     }
     if ( $align ) {
-        $style .= "float: $align;";
+        $style .= "float: " . esc_attr( $align ) . ";";
     }
 
-    return '<div class="st-callout" style="' . $style . '">' . do_shortcode( $content ) . '</div>';
+    return '<div class="st-callout" style="' . esc_attr( $style ) . '">' . do_shortcode( $content ) . '</div>';

Exploit Outline

To exploit this vulnerability, an attacker with Contributor-level permissions (or higher) can create or edit a post and insert the [callout] shortcode. The attacker provides a malicious payload within the 'width' or 'align' attributes. For example, by using a payload like `[callout width='100px;" onmouseover="alert(1)" data-a="']Test[/callout]`, the attacker can break out of the style attribute context and inject arbitrary HTML attributes such as event handlers (e.g., onmouseover). When a user with higher privileges (like an Administrator) views the post, the injected script will execute in their browser context.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.