Description
The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes ('title', 'align', and 'width') in the tuxquote_build_format() function, which are concatenated into the rendered HTML without being passed through esc_attr() or esc_html(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Tuxquote plugin for WordPress lets users insert a TUXQUOTE shortcode that accepts user‑supplied attributes such as title, align, and width. In versions 1.3 and earlier these attributes are concatenated directly into the rendered HTML without passing through sanitizing functions, allowing stored cross‑site scripting. An attacker who can create or edit a page with Contributor level or higher can inject arbitrary JavaScript that will execute automatically whenever any site visitor loads the affected page.

Affected Systems

This vulnerability targets the eldougo Tuxquote WordPress plugin for all WordPress installs that use version 1.3 or lower. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 6.4 classifies the issue as moderate severity. EPSS data are not available, so a precise exploit probability cannot be given, and the vulnerability is not listed in CISA’s KEV catalog, indicating no known widespread exploitation. However, because the attack requires Contributor or higher access, the potential impact is confined to sites where such roles are granted, and anyone with those permissions can inject malicious scripts that affect all users who view the compromised content.

Generated by OpenCVE AI on May 27, 2026 at 07:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Tuxquote plugin to a fixed release newer than version 1.3 once the vendor publishes an update.
  • If an update is unavailable, deactivate or uninstall the Tuxquote plugin to eliminate the attack surface.
  • As a temporary safeguard, restrict Contributor permissions to trusted users only or reduce Contributor role privileges to remove the ability to add or edit the TUXQUOTE shortcode.

Generated by OpenCVE AI on May 27, 2026 at 07:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Eldougo
Eldougo tuxquote
Wordpress
Wordpress wordpress
Vendors & Products Eldougo
Eldougo tuxquote
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes ('title', 'align', and 'width') in the tuxquote_build_format() function, which are concatenated into the rendered HTML without being passed through esc_attr() or esc_html(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Tuxquote <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Eldougo Tuxquote
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:34:59.661Z

Reserved: 2026-05-18T15:28:52.316Z

Link: CVE-2026-8846

cve-icon Vulnrichment

Updated: 2026-05-27T10:34:54.648Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:15.743

Modified: 2026-05-27T07:16:15.743

Link: CVE-2026-8846

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:07:13Z

Weaknesses