Description
The Credits Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the 'credits' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-12
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Credits Shortcode plugin for WordPress contains a stored cross‑site scripting flaw tied to the 'link' attribute of the 'credits' shortcode. User supplied data for this attribute is not properly sanitized or escaped, allowing an authenticated attacker with contributor-level access or higher to inject arbitrary JavaScript. The injected script is stored in the post content and executed automatically whenever a page containing that content is viewed by any visitor.

Affected Systems

All sites that have the Credits Shortcode plugin by jashjacob installed in a version up to and including 1.2 are affected. The vulnerability is present irrespective of the WordPress core version as long as the plugin is active and the 'credits' shortcode is used on a page or post.

Risk and Exploitability

The CVSS score of 6.4 classifies this vulnerability as medium severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, indicating no confirmed public exploitation as of the last advisory. The likely attack path requires an authenticated WordPress account with contributor or higher privileges to create or edit content that includes the shortcode. After injection, the malicious script remains in the stored content and is executed for any visitor to the affected page, providing a persistent cross‑site impact.

Generated by OpenCVE AI on May 12, 2026 at 11:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Credits Shortcode plugin to a version newer than 1.2 that contains the stored XSS fix.
  • If no newer version is available, uninstall or deactivate the plugin until an update is released.
  • Review and purge content that uses the 'credits' shortcode, removing any injected scripts, and perform a site‑wide search‑and‑replace to clean any remaining malicious code.

Generated by OpenCVE AI on May 12, 2026 at 11:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Jashjacob
Jashjacob credits Shortcode
Wordpress
Wordpress wordpress
Vendors & Products Jashjacob
Jashjacob credits Shortcode
Wordpress
Wordpress wordpress

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Credits Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the 'credits' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Credits Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Jashjacob Credits Shortcode
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-12T12:46:07.265Z

Reserved: 2026-04-13T21:18:56.168Z

Link: CVE-2026-6256

cve-icon Vulnrichment

Updated: 2026-05-12T12:46:03.054Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T09:16:55.503

Modified: 2026-05-12T14:03:52.757

Link: CVE-2026-6256

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:39:28Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')