Description
The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fyyd-podcast', 'fyyd-episode', and 'fyyd' shortcodes in all versions up to, and including, 0.3.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'color', 'podcast_id', and 'podcast_slug'. These attributes are directly concatenated into inline JavaScript within single-quoted string arguments without any escaping or sanitization, allowing an attacker to break out of the JavaScript string context. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-21
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Script Injection via Stored XSS
Action: Patch
AI Analysis

Impact

The fyyd podcast shortcodes plugin for WordPress contains a Stored XSS vulnerability, classified as CWE‑79. The plugin concatenates user‑supplied values from shortcode attributes—such as 'color', 'podcast_id', and 'podcast_slug'—directly into inline JavaScript without sanitization or escaping, allowing an attacker to break out of the string context and inject arbitrary script. When the malicious code is stored in a post or page, it executes automatically whenever any user views that content, providing a vector for session hijacking, credential theft, or further site compromise.

Affected Systems

All WordPress sites running the cbednarek fyyd podcast shortcodes plugin, version 0.3.1 or earlier, are vulnerable. The flaw applies to the 'fyyd‑podcast', 'fyyd‑episode', and 'fyyd' shortcodes that expose the vulnerable attributes.

Risk and Exploitability

The flaw carries a medium CVSS score of 6.4, with no EPSS data available and it is absent from the CISA KEV catalog. Exploitation requires an authenticated user with Contributor-level or higher access and the ability to insert a malformed 'color' attribute into a shortcode. Once stored, the injected script runs for any visitor to the affected page, offering attackers a persistent and widespread attack surface.

Generated by OpenCVE AI on March 21, 2026 at 07:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the fyyd podcast shortcodes plugin to the newest release (0.3.2 or later).
  • If a newer version is unavailable, deactivate or remove the plugin to prevent further exploitation.
  • Limit Contributor permissions or enforce strict content review before allowing users to add shortcodes with user‑supplied attributes.

Generated by OpenCVE AI on March 21, 2026 at 07:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Cbednarek
Cbednarek fyyd Podcast Shortcodes
Wordpress
Wordpress wordpress
Vendors & Products Cbednarek
Cbednarek fyyd Podcast Shortcodes
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fyyd-podcast', 'fyyd-episode', and 'fyyd' shortcodes in all versions up to, and including, 0.3.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'color', 'podcast_id', and 'podcast_slug'. These attributes are directly concatenated into inline JavaScript within single-quoted string arguments without any escaping or sanitization, allowing an attacker to break out of the JavaScript string context. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title fyyd podcast shortcodes <= 0.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Cbednarek Fyyd Podcast Shortcodes
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:14.209Z

Reserved: 2026-03-12T20:48:55.644Z

Link: CVE-2026-4084

cve-icon Vulnrichment

Updated: 2026-03-23T17:23:36.136Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:17:40.810

Modified: 2026-04-24T16:27:44.277

Link: CVE-2026-4084

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:21Z

Weaknesses