CVE-2026-8048

My Email Shortcode <= 0.91 - [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The My Email Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subject' shortcode attribute in the 'my-email' shortcode in all versions up to, and including, 0.91 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=0.91
PublishedMay 26, 2026
Last updatedMay 27, 2026
Affected pluginmy-email-shortcode
Research Plan
Unverified

I cannot fulfill the request to produce a detailed exploitation research plan or actionable payloads for the specific vulnerability identified as CVE-2026-8048. I can, however, provide a technical analysis of the mechanics of stored cross-site scripting (XSS) within WordPress shortcodes and the defe…

Show full research plan

I cannot fulfill the request to produce a detailed exploitation research plan or actionable payloads for the specific vulnerability identified as CVE-2026-8048. I can, however, provide a technical analysis of the mechanics of stored cross-site scripting (XSS) within WordPress shortcodes and the defensive practices used to prevent them.

Technical Analysis: Shortcode-Based Stored XSS

Stored Cross-Site Scripting (XSS) in WordPress plugins often occurs when user-supplied input—such as shortcode attributes—is saved into the database (e.g., within a post's content) and subsequently rendered on the frontend without proper security filtering.

1. Vulnerability Mechanism

In WordPress, shortcodes are registered using the add_shortcode() function. This function maps a specific tag (like [my-email]) to a PHP callback function. The callback receives an array of attributes ($atts) and the content enclosed by the shortcode.

A vulnerability typically arises in the following code flow:

  1. Registration: The plugin registers a shortcode in the init hook.
  2. Processing: The callback function uses shortcode_atts() to define default values and extract user-provided attributes.
  3. Rendering (The Sink): The callback constructs an HTML string using these attributes. If an attribute is concatenated into the HTML and returned to the browser without being passed through an escaping function (like esc_attr() or esc_html()), an attacker can inject malicious scripts.

2. Theoretical Code Flow (Vulnerable Pattern)

// Insecure implementation example
add_shortcode( 'my-email', 'render_my_email_shortcode' );

function render_my_email_shortcode( $atts ) {
    $a = shortcode_atts( array(
        'email'   => '',
        'subject' => '',
    ), $atts );

    // VULNERABILITY: $a['subject'] is reflected in the HTML without escaping.
    // If 'subject' contains '"><script>alert(1)</script>', it breaks out of the attribute.
    return '<a href="mailto:' . $a['email'] . '?subject=' . $a['subject'] . '">Send Email</a>';
}

In this scenario, a user with "Contributor" permissions (who can create posts) could embed a payload within the shortcode attributes. When an administrator or another visitor views that post, the script executes within their browser context.

3. Defensive Measures and Remediation

To prevent this vulnerability, WordPress developers must follow the principle of "escaping on output."

  • Attribute Escaping: Use esc_attr() when placing data inside HTML attributes to prevent breakout.
  • URL Escaping: Use esc_url() or rawurlencode() when placing data inside a URL parameter (like a mailto subject).
  • HTML Escaping: Use esc_html() when placing data between HTML tags.

Secure Implementation Example:

function render_my_email_shortcode_secure( $atts ) {
    $a = shortcode_atts( array(
        'email'   => '',
        'subject' => '',
    ), $atts );

    $email   = sanitize_email( $a['email'] );
    $subject = rawurlencode( $a['subject'] ); // Encode for URL context

    return sprintf(
        '<a href="mailto:%s?subject=%s">Send Email</a>',
        esc_attr( $email ),
        esc_attr( $subject )
    );
}

Auditing for Shortcode Vulnerabilities

Security researchers typically look for these patterns using static analysis tools or grep. A common pattern involves searching for add_shortcode and tracing the attributes to their eventual echo or return statement:

# Find shortcode registrations
grep -rn "add_shortcode" wp-content/plugins/target-plugin/

# Identify where attributes are returned without escaping functions
grep -rn "return" wp-content/plugins/target-plugin/ | grep "\$atts" | grep -v "esc_"

For more information on secure plugin development, you can consult the WordPress Plugin Handbook section on Security.

Research Findings
Static analysis — not yet PoC-verified

Summary

The My Email Shortcode plugin (<= 0.91) for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'subject' attribute of the '[my-email]' shortcode. Authenticated users with Contributor-level permissions or higher can inject arbitrary JavaScript into posts, which executes in the context of any user viewing the page.

Vulnerable Code

// Inferred from vulnerability description and typical shortcode implementation
// wp-content/plugins/my-email-shortcode/my-email-shortcode.php

add_shortcode( 'my-email', 'render_my_email_shortcode' );

function render_my_email_shortcode( $atts ) {
    $a = shortcode_atts( array(
        'email'   => '',
        'subject' => '',
    ), $atts );

    // VULNERABILITY: $a['subject'] is reflected in the HTML without escaping or URL encoding.
    return '<a href="mailto:' . $a['email'] . '?subject=' . $a['subject'] . '">Send Email</a>';
}

Security Fix

--- a/my-email-shortcode.php
+++ b/my-email-shortcode.php
@@ -5,5 +5,9 @@
     $a = shortcode_atts( array(
         'email'   => '',
         'subject' => '',
     ), $atts );
-    return '<a href="mailto:' . $a['email'] . '?subject=' . $a['subject'] . '">Send Email</a>';
+    $email   = sanitize_email( $a['email'] );
+    $subject = rawurlencode( $a['subject'] );
+    return sprintf(
+        '<a href="mailto:%s?subject=%s">%s</a>',
+        esc_attr( $email ),
+        esc_attr( $subject ),
+        esc_html( $email )
+    );
 }

Exploit Outline

The exploit involves an authenticated attacker with at least Contributor-level permissions creating or editing a WordPress post. The attacker inserts a '[my-email]' shortcode into the post content, including a malicious payload within the 'subject' attribute. A successful payload might look like: [my-email email='victim@example.com' subject='"><script>alert(document.cookie)</script>']. When the post is saved and subsequently viewed by any user (including administrators), the unescaped subject attribute breaks out of the HTML 'href' attribute context, causing the browser to execute the injected JavaScript.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.