Description
The Google+ Link Name plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gplusnamelink' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes ('id' and 'name') in the gplusnamelink_generate() function, which are concatenated directly into the rendered HTML without calling esc_attr() or esc_html(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The gplusnamelink shortcode in the Google+ Link Name plugin allows an authenticated contributor or higher to embed arbitrary scripts. The plugin fails to sanitize its ‘id’ and ‘name’ attributes, concatenating them directly into HTML. An attacker can inject malicious JavaScript that will run in the browser of any user who views a page containing the compromised shortcode, potentially revealing credentials, defacing the site or installing malware.

Affected Systems

WordPress installations using the Google+ Link Name plugin by morettolss, versions 1.0 or earlier. The vulnerability applies to all sites that enable the shortcode without additional restrictions.

Risk and Exploitability

The CVSS base score of 6.4 indicates moderate severity, and while no EPSS data exists, the lack of KEV listing suggests no confirmed widespread exploitation yet. Nevertheless, because the flaw requires only contributor‑level access, an attacker that gains such privileges can easily inject payloads. The vulnerability hinges on inadequate input sanitization (CWE‑79) and can be exploited when the plugin renders the shortcode’s attributes unchecked.

Generated by OpenCVE AI on May 27, 2026 at 07:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Google+ Link Name plugin to a version newer than 1.0, if one is available.
  • If an update is not available, remove the plugin entirely or disable the gplusnamelink shortcode for all users.
  • Restrict contributor‑level access or ensure any content editors use only safe HTML; consider configuring WordPress to strip disallowed attributes before rendering.

Generated by OpenCVE AI on May 27, 2026 at 07:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Morettolss
Morettolss google+ Link Name
Wordpress
Wordpress wordpress
Vendors & Products Morettolss
Morettolss google+ Link Name
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Google+ Link Name plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gplusnamelink' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes ('id' and 'name') in the gplusnamelink_generate() function, which are concatenated directly into the rendered HTML without calling esc_attr() or esc_html(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Google+ Link Name <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Morettolss Google+ Link Name
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:39:33.971Z

Reserved: 2026-05-18T15:26:05.745Z

Link: CVE-2026-8842

cve-icon Vulnrichment

Updated: 2026-05-27T10:39:28.916Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T07:16:15.307

Modified: 2026-05-27T14:50:47.627

Link: CVE-2026-8842

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:07:43Z

Weaknesses