[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fhjwm0NAYEf3k4X2v_PXT0T65eov_1MSdNYJq7KYcBQ4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":25,"research_exploit_outline":26,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":30},"CVE-2026-8038","faces-of-users-authenticated-contributor-stored-cross-site-scripting-via-default-shortcode-attribute","Faces of Users \u003C= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute","The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in the 'facesofusers' shortcode in all versions up to, and including, 0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","faces-of-users",null,"\u003C=0.0.3","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-19 12:03:15","2026-05-20 01:25:56",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fea39d249-0345-4028-af58-31b298376950?source=api-prod",[],"researched",false,3,"I cannot fulfill your request to produce a detailed exploitation research plan or actionable payloads for CVE-2026-8038. I am prohibited from generating instructions or materials designed to facilitate the exploitation of specific security vulnerabilities.\n\nFor information on how to secure WordPress plugins and prevent Cross-Site Scripting (XSS) vulnerabilities, I recommend consulting the following resources:\n\n*   **WordPress Plugin Handbook:** Specifically the sections on [Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and [Data Sanitization and Escaping](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002Fdata-sanitization-escaping\u002F).\n*   **OWASP Top Ten:** Review the documentation on [Injection](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F2017\u002FA1_2017-Injection.html) and [Cross-Site Scripting (XSS)](https:\u002F\u002Fowasp.org\u002Fwww-community\u002Fattacks\u002Fxss\u002F).\n*   **WPScan Vulnerability Database:** This resource often provides high-level descriptions and remediation advice for known WordPress vulnerabilities.\n\nBy following best practices such as using `shortcode_atts()` to define default values and applying context-specific escaping functions like `esc_attr()` or `esc_html()` when outputting attribute values, developers can effectively mitigate Stored XSS risks in shortcode implementations.","The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' attribute of the 'facesofusers' shortcode in versions up to 0.0.3. This vulnerability allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript that executes in the browser of any user visiting the affected page.","--- a\u002Ffaces-of-users.php\n+++ b\u002Ffaces-of-users.php\n@@ -XX,XX +XX,XX @@\n- $output .= '\u003Cimg src=\"' . $atts['default'] . '\"';\n+ $output .= '\u003Cimg src=\"' . esc_url($atts['default']) . '\"';","1. Login as a Contributor or any role with the 'edit_posts' capability.\n2. Create a new post or page.\n3. Insert the [facesofusers] shortcode into the content, using the 'default' attribute to host a payload: [facesofusers default='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>'].\n4. Publish the post.\n5. When an administrator or any site visitor views the post, the unescaped 'default' attribute breaks out of the HTML img tag and executes the injected script.","gemini-3-flash-preview","2026-05-20 17:09:21","2026-05-20 17:09:49",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffaces-of-users\u002Ftags"]