Description
The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in the 'github' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Github Shortcode plugin for WordPress contains a stored cross‑site scripting flaw tied to the ‘repo’ attribute of the ‘github’ shortcode. Input supplied in this attribute is inadequately sanitized and the resulting value is not properly escaped when rendered, which allows an authenticated contributor or higher to inject malicious scripts. These scripts are executed automatically whenever any user views a page containing the crafted shortcode, providing the attacker with the ability to run arbitrary JavaScript in the victim’s browser, potentially leading to cookie theft, session hijacking, or defacement.

Affected Systems

The vulnerability affects all installations of the octalmage Github Shortcode plugin that are at version 0.1 or earlier. The plugin is intended for use with WordPress sites; therefore, any WordPress installation that has this version of the plugin installed is exposed.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. EPSS is not available, and the vulnerability is not listed in CISA KEV, suggesting no publicly known active exploitation campaigns. The attack requires a user with Contributor privileges or higher within the WordPress site, making the threat primarily internal or to sites hosting compromised accounts. Given the reliance on site‑wide content rendering, a successful attack would affect all visitors who view the injected page.

Generated by OpenCVE AI on May 27, 2026 at 10:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Github Shortcode plugin to a version newer than 0.1 if one is available; if no newer release exists, consider removing or disabling the plugin entirely.
  • If you cannot remove the plugin, disable the shortcode functionality or restrict shortcode usage to trusted authors only.
  • Deploy a Web Application Firewall rule that filters or blocks malicious JavaScript payloads in the ‘repo’ attribute, or enforce a Content Security Policy that disallows unsafe‑inline scripts to mitigate the stored XSS.

Generated by OpenCVE AI on May 27, 2026 at 10:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Octalmage
Octalmage github Shortcode
Wordpress
Wordpress wordpress
Vendors & Products Octalmage
Octalmage github Shortcode
Wordpress
Wordpress wordpress

Wed, 27 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in the 'github' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Github Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Octalmage Github Shortcode
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:27:37.597Z

Reserved: 2026-05-06T16:19:42.426Z

Link: CVE-2026-8042

cve-icon Vulnrichment

Updated: 2026-05-27T10:27:32.622Z

cve-icon NVD

Status : Received

Published: 2026-05-27T08:16:45.190

Modified: 2026-05-27T08:16:45.190

Link: CVE-2026-8042

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T11:00:13Z

Weaknesses