Description
The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in the 'facesofusers' shortcode in all versions up to, and including, 0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-20
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Faces of Users plugin for WordPress contains a stored cross‑site scripting flaw in the handling of the 'default' attribute of the 'facesofusers' shortcode. When an authenticated user with Contributor or higher privileges creates or edits a shortcode containing malicious script tags, the content is stored without adequate sanitization or escaping. Subsequent page loads render the injected script, allowing the attacker to execute arbitrary JavaScript in the browsers of any visitor to that page. The weakness is cataloged as CWE‑79.

Affected Systems

Users of the Faces of Users WordPress plugin, developed by mcinvale, are affected. All releases up to and including version 0.0.3 contain the bug; later releases, if any, are not known to be affected.

Risk and Exploitability

The CVSS score of 6.4 reflects moderate severity, and no EPSS data is available. Because the vulnerability requires only authenticated access at the Contributor level, many sites may have eligible users, increasing the likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, suggesting no currently documented exploitation. Attackers can trigger the flaw by inserting malicious payloads in the default attribute; the payload is stored and served on every subsequent visit to the affected page, enabling persistent cross‑site scripting attacks.

Generated by OpenCVE AI on May 20, 2026 at 04:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Faces of Users to the newest available version that removes the vulnerable default shortcode handling.
  • If an immediate upgrade is not possible, delete any content that contains the 'default' attribute or disable the shortcode entirely to prevent injection.
  • Restrict users with Contributor or higher roles from inserting shortcodes, or modify the plugin code to perform proper input sanitization and output escaping on the attribute.

Generated by OpenCVE AI on May 20, 2026 at 04:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Mcinvale
Mcinvale faces Of Users
Wordpress
Wordpress wordpress
Vendors & Products Mcinvale
Mcinvale faces Of Users
Wordpress
Wordpress wordpress

Wed, 20 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in the 'facesofusers' shortcode in all versions up to, and including, 0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Faces of Users <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Mcinvale Faces Of Users
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T13:02:24.004Z

Reserved: 2026-05-06T15:48:52.894Z

Link: CVE-2026-8038

cve-icon Vulnrichment

Updated: 2026-05-20T13:02:20.820Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T02:16:39.690

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-8038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:09Z

Weaknesses