Description
The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the 'url' (and 'button') shortcode attributes in the rspc_check_shortcode() function, which are echoed directly into iframe src attributes without esc_attr() or esc_url(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the Responsive Check plugin for WordPress versions up to 0.0.3. In the rspc_check_shortcode() function, the 'url' and 'button' shortcode attributes are echoed directly into iframe src attributes without adequate sanitization or escaping. This allows an authenticated contributor or higher to inject arbitrary JavaScript that executes in any visitor’s browser when the affected page is loaded.

Affected Systems

WordPress sites running the kevin1804 Responsive Check plugin version 0.0.3 or older are affected. The vulnerability is triggered through the shortcode rspcheck in pages or posts where the user has contributor or higher privileges.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in CISA KEV. Attackers must be authenticated and possess contributor‑level or higher access to inject the malicious shortcode. Once injected, the payload runs in the context of any user who views the page containing the shortcode.

Generated by OpenCVE AI on May 27, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Responsive Check to a version that has sanitization added to the 'url' and 'button' attributes (current advisory upgrades are available beyond 0.0.3).
  • If an upgrade is not possible, remove or escape the shortcode manually by backfilling the affected content, or configure the plugin to disable shortcodes in page content.
  • Limit contributor-level privileges to trusted users only, or enforce stricter role based access control so that only admins can edit content containing shortcodes.

Generated by OpenCVE AI on May 27, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Kevin1804
Kevin1804 responsive Check
Wordpress
Wordpress wordpress
Vendors & Products Kevin1804
Kevin1804 responsive Check
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the 'url' (and 'button') shortcode attributes in the rspc_check_shortcode() function, which are echoed directly into iframe src attributes without esc_attr() or esc_url(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Responsive Check <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Kevin1804 Responsive Check
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:32:40.367Z

Reserved: 2026-05-18T15:26:59.480Z

Link: CVE-2026-8844

cve-icon Vulnrichment

Updated: 2026-05-27T10:32:35.790Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:15.427

Modified: 2026-05-27T07:16:15.427

Link: CVE-2026-8844

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:06:56Z

Weaknesses