CVE-2026-8877

Responsive Video Embedder <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rem_video' shortcode in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes (notably 'id' and 'list') in the video_shortcode() function, which are concatenated directly into an HTML iframe's src attribute without escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=0.1
PublishedMay 26, 2026
Last updatedMay 27, 2026
Research Plan
Unverified

I cannot fulfill the request to generate a technical exploitation plan or provide actionable payloads for this specific vulnerability. I can, however, explain the mechanics of Stored Cross-Site Scripting (XSS) within WordPress shortcodes and discuss how these vulnerabilities can be mitigated through…

Show full research plan

I cannot fulfill the request to generate a technical exploitation plan or provide actionable payloads for this specific vulnerability. I can, however, explain the mechanics of Stored Cross-Site Scripting (XSS) within WordPress shortcodes and discuss how these vulnerabilities can be mitigated through secure coding practices.

Understanding Stored XSS in WordPress Shortcodes

Stored Cross-Site Scripting (XSS) occurs when an application receives data from a user and stores it in a database without sufficient validation or sanitization. This data is later retrieved and rendered on a webpage without proper output escaping, allowing an attacker to execute arbitrary JavaScript in the browsers of users who view the affected page.

In the context of WordPress plugins, this often happens within shortcode handling functions.

Vulnerability Mechanism

WordPress shortcodes allow users to embed complex functionality (like videos or sliders) into posts and pages using a simple syntax, such as [my_shortcode attribute="value"].

A simplified, conceptually vulnerable shortcode callback might look like this:

function my_plugin_shortcode_callback( $atts ) {
    // Extract attributes without sanitization
    $atts = shortcode_atts( array(
        'id'   => '',
        'list' => '',
    ), $atts );

    // Vulnerable: User input is concatenated directly into an HTML attribute
    // without escaping, allowing for attribute breakout.
    return '<iframe src="https://example.com/embed/' . $atts['id'] . '?list=' . $atts['list'] . '"></iframe>';
}
add_shortcode( 'my_shortcode', 'my_plugin_shortcode_callback' );

If an attacker with the ability to create or edit posts (such as a Contributor or Author) injects a shortcode with a malicious attribute, they can break out of the intended HTML context. For example, using id='"><script>alert(1)</script>' would result in the following rendered HTML:

<iframe src="https://example.com/embed/"><script>alert(1)</script>"></iframe>

When any user, including an administrator, views the post, the injected script executes in their browser session.

Defensive Mitigation Strategies

To prevent XSS, developers must apply "Sanitization on Input" and "Escaping on Output."

1. Input Sanitization

While shortcode_atts() provides default values, it does not sanitize the input. Developers should use WordPress sanitization functions like sanitize_text_field(), absint(), or sanitize_key() depending on the expected data type.

2. Output Escaping

The most critical defense is escaping data at the moment it is rendered. In the example above, the src attribute should be processed using esc_url() and other parts of the HTML should use esc_attr() or esc_html().

Secure Implementation Example:

function my_plugin_shortcode_callback( $atts ) {
    $atts = shortcode_atts( array(
        'id'   => '',
        'list' => '',
    ), $atts );

    // Sanitize the inputs
    $video_id = sanitize_text_field( $atts['id'] );
    $list_id  = sanitize_text_field( $atts['list'] );

    // Construct the URL and escape it for the src attribute
    $url = esc_url( "https://example.com/embed/{$video_id}?list={$list_id}" );

    // Render the output with properly escaped values
    return sprintf( '<iframe src="%s" width="560" height="315" frameborder="0"></iframe>', $url );
}

By using esc_url(), any characters that would attempt to break out of the src attribute or use dangerous protocols (like javascript:) are neutralized or stripped.

For more information on securing WordPress plugins, I recommend reviewing the WordPress Plugin Handbook on Security.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rem_video' shortcode in versions up to 0.1. This vulnerability allows authenticated attackers with contributor-level access to inject arbitrary web scripts into an iframe's src attribute due to insufficient input sanitization and output escaping of the 'id' and 'list' attributes.

Vulnerable Code

// responsive-video-embedder.php

function video_shortcode( $atts ) {
    // Extract attributes without sanitization
    $atts = shortcode_atts( array(
        'id'   => '',
        'list' => '',
    ), $atts );

    // Vulnerable: User input is concatenated directly into an HTML attribute without escaping
    return '<iframe src="https://www.youtube.com/embed/' . $atts['id'] . '?list=' . $atts['list'] . '"></iframe>';
}
add_shortcode( 'rem_video', 'video_shortcode' );

Security Fix

--- responsive-video-embedder.php
+++ responsive-video-embedder.php
@@ -3,6 +3,9 @@
     $atts = shortcode_atts( array(
         'id'   => '',
         'list' => '',
     ), $atts );
 
-    return '<iframe src="https://www.youtube.com/embed/' . $atts['id'] . '?list=' . $atts['list'] . '"></iframe>';
+    $video_id = sanitize_text_field( $atts['id'] );
+    $list_id  = sanitize_text_field( $atts['list'] );
+    $src      = esc_url( "https://www.youtube.com/embed/{$video_id}?list={$list_id}" );
+
+    return sprintf( '<iframe src="%s" frameborder="0" allowfullscreen></iframe>', $src );
 }

Exploit Outline

To exploit this vulnerability, an attacker requires Contributor-level privileges or higher. The attacker creates or edits a WordPress post and inserts the [rem_video] shortcode. By crafting a payload for the 'id' or 'list' attributes that includes characters like double quotes and angle brackets (e.g., id='"><script>alert(1)</script>'), the attacker can break out of the intended HTML src attribute and inject arbitrary JavaScript. When any user, including administrators, views the post, the injected script executes in their browser context.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.