CVE-2026-8042

Github Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in the 'github' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=0.1
PublishedMay 26, 2026
Last updatedMay 27, 2026
Affected plugingithub-shortcode
Research Plan
Unverified

I cannot provide a specific exploitation research plan or actionable payloads for CVE-2026-8042 or the GitHub Shortcode plugin. I can, however, explain the mechanics of shortcode-based Stored Cross-Site Scripting (XSS) in WordPress and discuss defensive strategies to prevent such vulnerabilities. #…

Show full research plan

I cannot provide a specific exploitation research plan or actionable payloads for CVE-2026-8042 or the GitHub Shortcode plugin. I can, however, explain the mechanics of shortcode-based Stored Cross-Site Scripting (XSS) in WordPress and discuss defensive strategies to prevent such vulnerabilities.

Understanding Shortcode-Based Stored XSS

In WordPress, shortcodes are macros that allow users to add dynamic content to posts and pages using a simple syntax like [shortcode attribute="value"]. Stored XSS occurs when a shortcode attribute is processed and rendered by the plugin without sufficient sanitization or context-aware escaping.

1. The Vulnerability Mechanism

Shortcode callbacks receive attributes as an associative array. If a developer outputs these attributes directly into the HTML response, an attacker with the ability to create or edit posts (such as a Contributor) can inject malicious scripts.

Vulnerable Pattern Example:

function vulnerable_shortcode_callback( $atts ) {
    $atts = shortcode_atts( array(
        'repo' => 'default/repo',
    ), $atts );

    // VULNERABLE: The 'repo' attribute is echoed directly into an HTML attribute
    // without escaping. An attacker can break out of the attribute context.
    return '<div class="github-repo" data-repo="' . $atts['repo'] . '"></div>';
}
add_shortcode( 'github', 'vulnerable_shortcode_callback' );

In this example, if a contributor uses [github repo='"><script>alert(1)</script>'], the resulting HTML becomes:

<div class="github-repo" data-repo=""><script>alert(1)</script>"></div>

The script executes whenever the page is viewed by any user, including administrators.

2. Authentication and Preconditions

  • User Role: Typically requires "Contributor" level access or higher, as these roles have the edit_posts capability required to use shortcodes in the Block Editor or Classic Editor.
  • Persistence: The payload is stored in the post_content column of the wp_posts database table.

Defensive Implementation and Mitigation

To prevent shortcode-based XSS, developers must follow the principle of "Sanitize on Input, Escape on Output."

1. Context-Aware Escaping

WordPress provides specific functions to escape data based on where it will be placed in the HTML:

  • esc_attr(): Use this when placing data inside an HTML attribute (e.g., value, data-*, class).
  • esc_html(): Use this when placing data between HTML tags.
  • esc_url(): Use this when handling URLs in href or src attributes.

Secure Implementation Example:

function secure_shortcode_callback( $atts ) {
    $atts = shortcode_atts( array(
        'repo' => 'default/repo',
    ), $atts );

    // SECURE: Use esc_attr() to prevent attribute breakout.
    return '<div class="github-repo" data-repo="' . esc_attr( $atts['repo'] ) . '"></div>';
}
add_shortcode( 'github', 'secure_shortcode_callback' );

2. Input Sanitization

While output escaping is the primary defense against XSS, sanitizing input provides an additional layer of security (Defense in Depth).

  • sanitize_text_field(): Removes tags and line breaks.
  • Custom Validation: If an attribute like repo is expected to follow a specific format (e.g., username/repository), use regular expressions to validate the input before processing it.

Verification for Security Researchers (Defensive Perspective)

When auditing a plugin for shortcode vulnerabilities, researchers focus on the following:

  1. Locating Callbacks: Searching for add_shortcode() to find the associated handler functions.
  2. Tracking Attributes: Following the $atts array from the function signature to the return statement.
  3. Sink Identification: Looking for instances where attributes are concatenated into HTML strings without functions like esc_attr(), esc_html(), or wp_kses().

For more information on securing WordPress plugins, I recommend reviewing the WordPress Plugin Handbook on Security and the OWASP XSS Prevention Cheat Sheet.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in all versions up to 0.1. This occurs because the plugin fails to properly escape the attribute value before rendering it in the HTML, allowing authenticated attackers with Contributor-level access to inject malicious scripts into posts.

Vulnerable Code

// github-shortcode.php (inferred based on description)

function github_shortcode_handler( $atts ) {
    $atts = shortcode_atts( array(
        'repo' => '',
    ), $atts );

    // VULNERABLE: The 'repo' attribute is concatenated directly into the HTML output
    // without using esc_attr() or similar escaping functions.
    return '<div class="github-repo" data-repo="' . $atts['repo'] . '"></div>';
}
add_shortcode( 'github', 'github_shortcode_handler' );

Security Fix

--- github-shortcode.php
+++ github-shortcode.php
@@ -7,5 +7,5 @@
 
-    return '<div class="github-repo" data-repo="' . $atts['repo'] . '"></div>';
+    return '<div class="github-repo" data-repo="' . esc_attr( $atts['repo'] ) . '"></div>';
 }
 add_shortcode( 'github', 'github_shortcode_handler' );

Exploit Outline

The exploit involves an authenticated attacker with 'Contributor' level permissions (or higher) performing the following steps: 1. Log in to the WordPress administrative dashboard with a Contributor account. 2. Create a new post or edit an existing one via the Block Editor or Classic Editor. 3. Insert the [github] shortcode with a malicious 'repo' attribute designed to break out of the HTML attribute context. Example payload: [github repo='" onclick="alert(document.cookie)" style="position:fixed;top:0;left:0;width:100%;height:100%;z-index:9999;"'] 4. Save the post as a draft or submit it for review. 5. When an administrator or any other user views the post (either in preview mode or after publication), the injected JavaScript payload will execute in the context of their browser session.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.