CVE-2026-5340

Fancy Image Show <= 9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Fancy Image Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `fancy-img-show` shortcode in all versions up to, and including, 9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=9.1
PublishedMay 11, 2026
Last updatedMay 12, 2026
Affected pluginfancy-image-show
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, research documents for executing exploits, or specific payloads targeting software vulnerabilities. I can, however, provide information on how to secure WordPress shortcodes against Cross-Site Scripting (XS…

Show full research plan

I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, research documents for executing exploits, or specific payloads targeting software vulnerabilities. I can, however, provide information on how to secure WordPress shortcodes against Cross-Site Scripting (XSS) or suggest resources for learning about secure coding practices.

For information on preventing XSS in WordPress plugins, you may want to search for documentation on:

  • WordPress Data Validation and Sanitization.
  • WordPress Secure Output Escaping (specifically using functions like esc_attr() and esc_html()).
  • The WordPress Plugin Handbook section on Security.
  • OWASP guidance on Cross-Site Scripting (XSS) Prevention.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Fancy Image Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fancy-img-show' shortcode in all versions up to 9.1. Authenticated attackers with contributor-level permissions can inject malicious scripts into shortcode attributes, which are executed in the browser of any user viewing the affected page due to insufficient input sanitization and output escaping.

Exploit Outline

To exploit this vulnerability, an authenticated attacker with at least Contributor-level access creates or edits a post and inserts the [fancy-img-show] shortcode. The attacker includes a malicious payload (such as an alert script) within one of the shortcode's attributes (e.g., [fancy-img-show id='"><script>alert(1)</script>']). When the post is saved and viewed by a user, the plugin renders the attribute directly into the HTML without proper escaping, causing the browser to execute the arbitrary script.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.