[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fo45WSo1gkxi5jRWkAB1xmrwTqVDZ_vb6b0hrZe5OHig":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8048","my-email-shortcode-improper-neutralization-of-input-during-web-page-generation-cross-site-scripting","My Email Shortcode \u003C= 0.91 - [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]","The My Email Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subject' shortcode attribute in the 'my-email' shortcode in all versions up to, and including, 0.91 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","my-email-shortcode",null,"\u003C=0.91","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-26 17:20:21","2026-05-27 05:31:26",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6c9f5515-cdf5-4883-bdeb-1de53bcc615a?source=api-prod",[],"researched",false,3,"I cannot fulfill the request to produce a detailed exploitation research plan or actionable payloads for the specific vulnerability identified as CVE-2026-8048. I can, however, provide a technical analysis of the mechanics of stored cross-site scripting (XSS) within WordPress shortcodes and the defensive practices used to prevent them.\n\n### Technical Analysis: Shortcode-Based Stored XSS\n\nStored Cross-Site Scripting (XSS) in WordPress plugins often occurs when user-supplied input—such as shortcode attributes—is saved into the database (e.g., within a post's content) and subsequently rendered on the frontend without proper security filtering.\n\n#### 1. Vulnerability Mechanism\nIn WordPress, shortcodes are registered using the `add_shortcode()` function. This function maps a specific tag (like `[my-email]`) to a PHP callback function. The callback receives an array of attributes (`$atts`) and the content enclosed by the shortcode.\n\nA vulnerability typically arises in the following code flow:\n1.  **Registration:** The plugin registers a shortcode in the `init` hook.\n2.  **Processing:** The callback function uses `shortcode_atts()` to define default values and extract user-provided attributes.\n3.  **Rendering (The Sink):** The callback constructs an HTML string using these attributes. If an attribute is concatenated into the HTML and returned to the browser without being passed through an escaping function (like `esc_attr()` or `esc_html()`), an attacker can inject malicious scripts.\n\n#### 2. Theoretical Code Flow (Vulnerable Pattern)\n```php\n\u002F\u002F Insecure implementation example\nadd_shortcode( 'my-email', 'render_my_email_shortcode' );\n\nfunction render_my_email_shortcode( $atts ) {\n    $a = shortcode_atts( array(\n        'email'   => '',\n        'subject' => '',\n    ), $atts );\n\n    \u002F\u002F VULNERABILITY: $a['subject'] is reflected in the HTML without escaping.\n    \u002F\u002F If 'subject' contains '\">\u003Cscript>alert(1)\u003C\u002Fscript>', it breaks out of the attribute.\n    return '\u003Ca href=\"mailto:' . $a['email'] . '?subject=' . $a['subject'] . '\">Send Email\u003C\u002Fa>';\n}\n```\n\nIn this scenario, a user with \"Contributor\" permissions (who can create posts) could embed a payload within the shortcode attributes. When an administrator or another visitor views that post, the script executes within their browser context.\n\n#### 3. Defensive Measures and Remediation\nTo prevent this vulnerability, WordPress developers must follow the principle of \"escaping on output.\"\n\n*   **Attribute Escaping:** Use `esc_attr()` when placing data inside HTML attributes to prevent breakout.\n*   **URL Escaping:** Use `esc_url()` or `rawurlencode()` when placing data inside a URL parameter (like a mailto subject).\n*   **HTML Escaping:** Use `esc_html()` when placing data between HTML tags.\n\n**Secure Implementation Example:**\n```php\nfunction render_my_email_shortcode_secure( $atts ) {\n    $a = shortcode_atts( array(\n        'email'   => '',\n        'subject' => '',\n    ), $atts );\n\n    $email   = sanitize_email( $a['email'] );\n    $subject = rawurlencode( $a['subject'] ); \u002F\u002F Encode for URL context\n\n    return sprintf(\n        '\u003Ca href=\"mailto:%s?subject=%s\">Send Email\u003C\u002Fa>',\n        esc_attr( $email ),\n        esc_attr( $subject )\n    );\n}\n```\n\n### Auditing for Shortcode Vulnerabilities\nSecurity researchers typically look for these patterns using static analysis tools or grep. A common pattern involves searching for `add_shortcode` and tracing the attributes to their eventual `echo` or `return` statement:\n\n```bash\n# Find shortcode registrations\ngrep -rn \"add_shortcode\" wp-content\u002Fplugins\u002Ftarget-plugin\u002F\n\n# Identify where attributes are returned without escaping functions\ngrep -rn \"return\" wp-content\u002Fplugins\u002Ftarget-plugin\u002F | grep \"\\$atts\" | grep -v \"esc_\"\n```\n\nFor more information on secure plugin development, you can consult the [WordPress Plugin Handbook section on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F).","The My Email Shortcode plugin (\u003C= 0.91) for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'subject' attribute of the '[my-email]' shortcode. Authenticated users with Contributor-level permissions or higher can inject arbitrary JavaScript into posts, which executes in the context of any user viewing the page.","\u002F\u002F Inferred from vulnerability description and typical shortcode implementation\n\u002F\u002F wp-content\u002Fplugins\u002Fmy-email-shortcode\u002Fmy-email-shortcode.php\n\nadd_shortcode( 'my-email', 'render_my_email_shortcode' );\n\nfunction render_my_email_shortcode( $atts ) {\n    $a = shortcode_atts( array(\n        'email'   => '',\n        'subject' => '',\n    ), $atts );\n\n    \u002F\u002F VULNERABILITY: $a['subject'] is reflected in the HTML without escaping or URL encoding.\n    return '\u003Ca href=\"mailto:' . $a['email'] . '?subject=' . $a['subject'] . '\">Send Email\u003C\u002Fa>';\n}","--- a\u002Fmy-email-shortcode.php\n+++ b\u002Fmy-email-shortcode.php\n@@ -5,5 +5,9 @@\n     $a = shortcode_atts( array(\n         'email'   => '',\n         'subject' => '',\n     ), $atts );\n-    return '\u003Ca href=\"mailto:' . $a['email'] . '?subject=' . $a['subject'] . '\">Send Email\u003C\u002Fa>';\n+    $email   = sanitize_email( $a['email'] );\n+    $subject = rawurlencode( $a['subject'] );\n+    return sprintf(\n+        '\u003Ca href=\"mailto:%s?subject=%s\">%s\u003C\u002Fa>',\n+        esc_attr( $email ),\n+        esc_attr( $subject ),\n+        esc_html( $email )\n+    );\n }","The exploit involves an authenticated attacker with at least Contributor-level permissions creating or editing a WordPress post. The attacker inserts a '[my-email]' shortcode into the post content, including a malicious payload within the 'subject' attribute. A successful payload might look like: [my-email email='victim@example.com' subject='\">\u003Cscript>alert(document.cookie)\u003C\u002Fscript>']. When the post is saved and subsequently viewed by any user (including administrators), the unescaped subject attribute breaks out of the HTML 'href' attribute context, causing the browser to execute the injected JavaScript.","gemini-3-flash-preview","2026-06-04 19:16:40","2026-06-04 19:17:26",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmy-email-shortcode\u002Ftags"]