[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fzM43cA-aAwaR1WzP5vdGKlyY165nIBkz96V0P24Dt-s":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8042","github-shortcode-authenticated-contributor-stored-cross-site-scripting","Github Shortcode \u003C= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in the 'github' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","github-shortcode",null,"\u003C=0.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-26 18:56:11","2026-05-27 07:45:56",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc6848b7a-d869-41e7-9f33-01a35b6d4822?source=api-prod",[],"researched",false,3,"I cannot provide a specific exploitation research plan or actionable payloads for CVE-2026-8042 or the GitHub Shortcode plugin. I can, however, explain the mechanics of shortcode-based Stored Cross-Site Scripting (XSS) in WordPress and discuss defensive strategies to prevent such vulnerabilities.\n\n### Understanding Shortcode-Based Stored XSS\n\nIn WordPress, shortcodes are macros that allow users to add dynamic content to posts and pages using a simple syntax like `[shortcode attribute=\"value\"]`. Stored XSS occurs when a shortcode attribute is processed and rendered by the plugin without sufficient sanitization or context-aware escaping.\n\n#### 1. The Vulnerability Mechanism\nShortcode callbacks receive attributes as an associative array. If a developer outputs these attributes directly into the HTML response, an attacker with the ability to create or edit posts (such as a Contributor) can inject malicious scripts.\n\n**Vulnerable Pattern Example:**\n```php\nfunction vulnerable_shortcode_callback( $atts ) {\n    $atts = shortcode_atts( array(\n        'repo' => 'default\u002Frepo',\n    ), $atts );\n\n    \u002F\u002F VULNERABLE: The 'repo' attribute is echoed directly into an HTML attribute\n    \u002F\u002F without escaping. An attacker can break out of the attribute context.\n    return '\u003Cdiv class=\"github-repo\" data-repo=\"' . $atts['repo'] . '\">\u003C\u002Fdiv>';\n}\nadd_shortcode( 'github', 'vulnerable_shortcode_callback' );\n```\n\nIn this example, if a contributor uses `[github repo='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`, the resulting HTML becomes:\n```html\n\u003Cdiv class=\"github-repo\" data-repo=\"\">\u003Cscript>alert(1)\u003C\u002Fscript>\">\u003C\u002Fdiv>\n```\nThe script executes whenever the page is viewed by any user, including administrators.\n\n#### 2. Authentication and Preconditions\n*   **User Role:** Typically requires \"Contributor\" level access or higher, as these roles have the `edit_posts` capability required to use shortcodes in the Block Editor or Classic Editor.\n*   **Persistence:** The payload is stored in the `post_content` column of the `wp_posts` database table.\n\n### Defensive Implementation and Mitigation\n\nTo prevent shortcode-based XSS, developers must follow the principle of \"Sanitize on Input, Escape on Output.\"\n\n#### 1. Context-Aware Escaping\nWordPress provides specific functions to escape data based on where it will be placed in the HTML:\n\n*   **`esc_attr()`**: Use this when placing data inside an HTML attribute (e.g., `value`, `data-*`, `class`).\n*   **`esc_html()`**: Use this when placing data between HTML tags.\n*   **`esc_url()`**: Use this when handling URLs in `href` or `src` attributes.\n\n**Secure Implementation Example:**\n```php\nfunction secure_shortcode_callback( $atts ) {\n    $atts = shortcode_atts( array(\n        'repo' => 'default\u002Frepo',\n    ), $atts );\n\n    \u002F\u002F SECURE: Use esc_attr() to prevent attribute breakout.\n    return '\u003Cdiv class=\"github-repo\" data-repo=\"' . esc_attr( $atts['repo'] ) . '\">\u003C\u002Fdiv>';\n}\nadd_shortcode( 'github', 'secure_shortcode_callback' );\n```\n\n#### 2. Input Sanitization\nWhile output escaping is the primary defense against XSS, sanitizing input provides an additional layer of security (Defense in Depth).\n\n*   **`sanitize_text_field()`**: Removes tags and line breaks.\n*   **Custom Validation**: If an attribute like `repo` is expected to follow a specific format (e.g., `username\u002Frepository`), use regular expressions to validate the input before processing it.\n\n### Verification for Security Researchers (Defensive Perspective)\n\nWhen auditing a plugin for shortcode vulnerabilities, researchers focus on the following:\n\n1.  **Locating Callbacks**: Searching for `add_shortcode()` to find the associated handler functions.\n2.  **Tracking Attributes**: Following the `$atts` array from the function signature to the return statement.\n3.  **Sink Identification**: Looking for instances where attributes are concatenated into HTML strings without functions like `esc_attr()`, `esc_html()`, or `wp_kses()`.\n\nFor more information on securing WordPress plugins, I recommend reviewing the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP XSS Prevention Cheat Sheet](https:\u002F\u002Fcheatsheetseries.owasp.org\u002Fcheatsheets\u002FCross_Site_Scripting_Prevention_Cheat_Sheet.html).","The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in all versions up to 0.1. This occurs because the plugin fails to properly escape the attribute value before rendering it in the HTML, allowing authenticated attackers with Contributor-level access to inject malicious scripts into posts.","\u002F\u002F github-shortcode.php (inferred based on description)\n\nfunction github_shortcode_handler( $atts ) {\n    $atts = shortcode_atts( array(\n        'repo' => '',\n    ), $atts );\n\n    \u002F\u002F VULNERABLE: The 'repo' attribute is concatenated directly into the HTML output\n    \u002F\u002F without using esc_attr() or similar escaping functions.\n    return '\u003Cdiv class=\"github-repo\" data-repo=\"' . $atts['repo'] . '\">\u003C\u002Fdiv>';\n}\nadd_shortcode( 'github', 'github_shortcode_handler' );","--- github-shortcode.php\n+++ github-shortcode.php\n@@ -7,5 +7,5 @@\n \n-    return '\u003Cdiv class=\"github-repo\" data-repo=\"' . $atts['repo'] . '\">\u003C\u002Fdiv>';\n+    return '\u003Cdiv class=\"github-repo\" data-repo=\"' . esc_attr( $atts['repo'] ) . '\">\u003C\u002Fdiv>';\n }\n add_shortcode( 'github', 'github_shortcode_handler' );","The exploit involves an authenticated attacker with 'Contributor' level permissions (or higher) performing the following steps:\n\n1. Log in to the WordPress administrative dashboard with a Contributor account.\n2. Create a new post or edit an existing one via the Block Editor or Classic Editor.\n3. Insert the [github] shortcode with a malicious 'repo' attribute designed to break out of the HTML attribute context. \n   Example payload: [github repo='\" onclick=\"alert(document.cookie)\" style=\"position:fixed;top:0;left:0;width:100%;height:100%;z-index:9999;\"']\n4. Save the post as a draft or submit it for review.\n5. When an administrator or any other user views the post (either in preview mode or after publication), the injected JavaScript payload will execute in the context of their browser session.","gemini-3-flash-preview","2026-06-04 18:30:11","2026-06-04 18:30:47",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgithub-shortcode\u002Ftags"]