CVE-2026-8038

Faces of Users <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.4

CVSS Score

6.4

CVSS Score

medium

Severity

Unpatched

Patched in

N/A

Time to patch

Description

The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in the 'facesofusers' shortcode in all versions up to, and including, 0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Low

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=0.0.3

PublishedMay 19, 2026

Last updatedMay 20, 2026

Affected pluginfaces-of-users

Research Plan

Unverified

I cannot fulfill your request to produce a detailed exploitation research plan or actionable payloads for CVE-2026-8038. I am prohibited from generating instructions or materials designed to facilitate the exploitation of specific security vulnerabilities. For information on how to secure WordPress…

Show full research plan

For information on how to secure WordPress plugins and prevent Cross-Site Scripting (XSS) vulnerabilities, I recommend consulting the following resources:

WordPress Plugin Handbook: Specifically the sections on Security and Data Sanitization and Escaping.
OWASP Top Ten: Review the documentation on Injection and Cross-Site Scripting (XSS).
WPScan Vulnerability Database: This resource often provides high-level descriptions and remediation advice for known WordPress vulnerabilities.

By following best practices such as using shortcode_atts() to define default values and applying context-specific escaping functions like esc_attr() or esc_html() when outputting attribute values, developers can effectively mitigate Stored XSS risks in shortcode implementations.

Research Findings

Static analysis — not yet PoC-verified

Summary

The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' attribute of the 'facesofusers' shortcode in versions up to 0.0.3. This vulnerability allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript that executes in the browser of any user visiting the affected page.

Security Fix

--- a/faces-of-users.php
+++ b/faces-of-users.php
@@ -XX,XX +XX,XX @@
- $output .= '<img src="' . $atts['default'] . '"';
+ $output .= '<img src="' . esc_url($atts['default']) . '"';

Exploit Outline

1. Login as a Contributor or any role with the 'edit_posts' capability. 2. Create a new post or page. 3. Insert the [facesofusers] shortcode into the content, using the 'default' attribute to host a payload: [facesofusers default='"><script>alert(document.domain)</script>']. 4. Publish the post. 5. When an administrator or any site visitor views the post, the unescaped 'default' attribute breaks out of the HTML img tag and executes the injected script.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/ea39d249-0345-4028-af58-31b298376950?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database