Description
The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute without escaping in the dideo() shortcode handler. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Dideo plugin’s stored‑XSS vulnerability occurs because the id attribute of the [dideo] shortcode is inserted directly into an iframe src attribute without sanitization or escaping. An authenticated contributor can embed arbitrary JavaScript into the content, causing that script to run for every user who views the affected page. Based on the description, it is inferred that the attacker could steal session cookies, deface content, or redirect users; this illustrates the potential confidentiality and functional impact, but it does not provide privilege escalation on the server.

Affected Systems

The flaw exists in the WordPress Dideo plugin for version 1.0 and earlier, developed by mshomali. Only installations running those versions are affected; later releases are not listed as vulnerable.

Risk and Exploitability

With a CVSS score of 6.4 the vulnerability is rated moderate. The EPSS score is unavailable, and the CVE is not listed in CISA’s KEV catalog, which is inferred to indicate limited or no widespread exploitation reports. Attacks require authenticated access with contributor rights or higher, and the likely attack vector is the insertion of malicious JavaScript via the ‘id’ attribute of the [dideo] shortcode into a post or page. The payload is stored client‑side, so any user viewing the compromised page will execute the script. The risk is to confidentiality and availability of the site’s content, with all exposed users potentially impacted, but ordinary server‑side logic remains unaffected.

Generated by OpenCVE AI on May 27, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Dideo plugin to a version that includes the fix for the stored‑XSS issue.
  • If an updated version is not available, disable or uninstall the Dideo plugin to eliminate the risk.
  • Restrict contributor‑level access to trusted users and review existing content for potential XSS payloads before publishing.

Generated by OpenCVE AI on May 27, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Mshomali
Mshomali dideo
Wordpress
Wordpress wordpress
Vendors & Products Mshomali
Mshomali dideo
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute without escaping in the dideo() shortcode handler. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Dideo <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Mshomali Dideo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:32:26.943Z

Reserved: 2026-05-18T15:30:13.159Z

Link: CVE-2026-8847

cve-icon Vulnrichment

Updated: 2026-05-27T10:32:21.845Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:15.863

Modified: 2026-05-27T07:16:15.863

Link: CVE-2026-8847

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:06:55Z

Weaknesses