Description
The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the `title-ticker-slide`, `title-ticker-fade`, and `title-ticker-typing` shortcodes. This is due to insufficient input sanitization and output escaping on shortcode attributes (notably `border`, `width`, `height`, `header_background`, `header_text_color`, and `id`) within the `gntt_title_ticker_slide()`, `gntt_title_ticker_fade()`, and `gntt_title_ticker_typing()` functions. None of these attribute values are passed through `esc_attr()` or any other escaping function before being concatenated into HTML output. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The GNTT Post Title Ticker plugin for WordPress is vulnerable to stored cross‑site scripting because several shortcode attributes—border, width, height, header_background, header_text_color, and id—are not sanitized or escaped before being output. This omission allows an attacker to embed arbitrary JavaScript within a page, which will run in the browsers of any visitor who loads that page.

Affected Systems

The affected vendor is golzarrahman, the GNTT Post Title Ticker plugin for WordPress, version 1.0 and earlier. All installations using this product, regardless of the WordPress core version, are vulnerable until the plugin is updated to a release that implements proper sanitization and escaping for the shortcode attributes.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been reported. An authenticated user with contributor‑level access or higher can create or edit content that includes the vulnerable shortcodes, so it is inferred that the attack vector involves the WordPress admin interface. Once a malicious script is stored, it will execute client‑side whenever any user accesses the affected page, thereby exposing all site visitors to the embedded code.

Generated by OpenCVE AI on May 27, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the GNTT Post Title Ticker plugin to a patched version that applies sanitization and escaping to all shortcode attributes.
  • Restrict users with contributor or higher roles from editing or publishing posts that contain shortcodes, or remove the "edit_pages" capability from untrusted accounts.
  • Search existing content for stored scripts introduced via the shortcodes and clean or remove them; consider temporarily disabling the problematic shortcodes until a fix is applied.

Generated by OpenCVE AI on May 27, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Golzarrahman
Golzarrahman gntt Post Title Ticker
Wordpress
Wordpress wordpress
Vendors & Products Golzarrahman
Golzarrahman gntt Post Title Ticker
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the `title-ticker-slide`, `title-ticker-fade`, and `title-ticker-typing` shortcodes. This is due to insufficient input sanitization and output escaping on shortcode attributes (notably `border`, `width`, `height`, `header_background`, `header_text_color`, and `id`) within the `gntt_title_ticker_slide()`, `gntt_title_ticker_fade()`, and `gntt_title_ticker_typing()` functions. None of these attribute values are passed through `esc_attr()` or any other escaping function before being concatenated into HTML output. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title GNTT Post Title Ticker <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Golzarrahman Gntt Post Title Ticker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:37:43.456Z

Reserved: 2026-05-15T17:40:08.858Z

Link: CVE-2026-8701

cve-icon Vulnrichment

Updated: 2026-05-27T10:37:38.886Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:14.303

Modified: 2026-05-27T07:16:14.303

Link: CVE-2026-8701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:07:31Z

Weaknesses