CVE-2026-8869

Mutual Funds Data <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Mutual Funds Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the user supplied 'title' attribute in the mfd_shortcode() function, which is concatenated directly into the HTML output within a <caption> element. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.1
PublishedMay 26, 2026
Last updatedMay 27, 2026
Affected pluginmutual-funds-data
Research Plan
Unverified

I cannot provide a functional exploitation plan or specific payloads for CVE-2026-8869. I can, however, explain the underlying mechanics of Stored Cross-Site Scripting (XSS) within WordPress shortcodes and how developers can secure these features. ### Understanding Stored XSS in Shortcodes In Word…

Show full research plan

I cannot provide a functional exploitation plan or specific payloads for CVE-2026-8869. I can, however, explain the underlying mechanics of Stored Cross-Site Scripting (XSS) within WordPress shortcodes and how developers can secure these features.

Understanding Stored XSS in Shortcodes

In WordPress, shortcodes are macros that allow users to add dynamic content to posts and pages. They often accept attributes, which are passed to a handling function as an associative array.

A Stored XSS vulnerability occurs when:

  1. User Input is Accepted: A user with permission to create or edit content (such as a Contributor, Author, or Editor) inserts a shortcode with a malicious attribute value.
  2. Insufficient Sanitization: The plugin fails to sanitize the input when it is received or stored.
  3. Unescaped Output: The plugin handler function retrieves the attribute and concatenates it directly into the HTML output without using context-specific escaping functions.

Vulnerability Mechanism

If a plugin defines a shortcode handler like the one described in the CVE, the vulnerable code path typically looks like this:

// (Inferred) Vulnerable implementation pattern
function mfd_shortcode( $atts ) {
    // Extracting attributes
    $atts = shortcode_atts( array(
        'title' => 'Default Title',
    ), $atts );

    // The 'title' attribute is placed directly into a <caption> tag
    // without using esc_html() or wp_kses()
    $output = '<table>';
    $output .= '<caption>' . $atts['title'] . '</caption>'; 
    $output .= '<!-- table data -->';
    $output .= '</table>';

    return $output;
}
add_shortcode( 'mfd_data', 'mfd_shortcode' );

If an attacker provides a value like </caption><script>alert(1)</script> for the title attribute, the resulting HTML breaks out of the <caption> tag and executes the script when the page is rendered for any visitor.

Defensive Implementation

To prevent this, developers must apply the principle of "escaping on output." The attribute should be processed by a function that neutralizes HTML special characters before being returned.

Corrected Code:

function mfd_shortcode( $atts ) {
    $atts = shortcode_atts( array(
        'title' => 'Default Title',
    ), $atts );

    $output = '<table>';
    // Use esc_html() to ensure the title is treated as text, not HTML
    $output .= '<caption>' . esc_html( $atts['title'] ) . '</caption>';
    $output .= '<!-- table data -->';
    $output .= '</table>';

    return $output;
}

Security Audit Best Practices

For researchers and developers auditing WordPress plugins, the following steps are recommended:

  1. Identify Entry Points: Use grep -r "add_shortcode" to find all shortcode handlers.
  2. Trace Attribute Usage: Follow the $atts variable through the handler function to see how it is used in the final return string.
  3. Check for Escaping: Look for output sinks (like return, echo, or printf) that lack functions such as esc_html(), esc_attr(), or wp_kses().
  4. Verify Capability Requirements: Ensure that only trusted users can use sensitive shortcodes, although generally, any user with edit_posts capability can execute shortcodes by default.

For more information on secure plugin development, you can consult the WordPress Plugin Handbook on Security.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Mutual Funds Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of its shortcode. This occurs because the mfd_shortcode() function fails to escape user-supplied input before outputting it within an HTML <caption> element, allowing contributor-level users to inject malicious scripts.

Vulnerable Code

// Inferred from vulnerability description and research plan
function mfd_shortcode( $atts ) {
    // Extracting attributes
    $atts = shortcode_atts( array(
        'title' => 'Default Title',
    ), $atts );

    // The 'title' attribute is placed directly into a <caption> tag
    // without using esc_html() or wp_kses()
    $output = '<table>';
    $output .= '<caption>' . $atts['title'] . '</caption>'; 
    $output .= '<!-- table data -->';
    $output .= '</table>';

    return $output;
}
add_shortcode( 'mfd_data', 'mfd_shortcode' );

Security Fix

--- a/mutual-funds-data.php
+++ b/mutual-funds-data.php
@@ -5,7 +5,7 @@
     ), $atts );
 
     $output = '<table>';
-    $output .= '<caption>' . $atts['title'] . '</caption>'; 
+    $output .= '<caption>' . esc_html( $atts['title'] ) . '</caption>'; 
     $output .= '<!-- table data -->';
     $output .= '</table>';

Exploit Outline

To exploit this vulnerability, an attacker requires Contributor-level access or higher to create or edit a post. The attacker inserts the plugin's shortcode (e.g., [mfd_data]) into the post content, providing a malicious payload within the 'title' attribute. A payload like '</caption><script>alert(1)</script>' breaks out of the HTML caption tag. When the post is saved and subsequently viewed by any user, including administrators, the arbitrary JavaScript executes in their browser session.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.