Description
The Formidable Kinetic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'kinetic_link' shortcode in versions up to, and including, 1.1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (notably 'window', 'class', and 'label') in the FrmKinetic::link() function, which are concatenated directly into HTML attributes of an anchor tag. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Formidable Kinetic plugin implements a shortcode whose attributes – notably 'window', 'class', and 'label' – are inserted directly into an anchor tag without sanitization or escaping. This insufficient input handling creates a stored Cross‑Site Scripting flaw (CWE‑79). An attacker who can add or edit these shortcodes, such as a contributor or higher‑level user, can inject arbitrary JavaScript that will run in the browsers of any visitor who views the affected page. The resulting script can hijack user sessions, steal credentials, or deliver additional malicious payloads. The primary impact is compromised confidentiality and integrity of user sessions and the website’s content.

Affected Systems

Vendor thomstark provides the Formidable Kinetic plugin for WordPress. Versions up to and including 1.1.01 contain the vulnerable shortcode handling. All installations running 1.1.01 or earlier are affected.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, with the exploit limited to sites where the attacker has at least contributor‑level access. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. Attackers must first gain authenticated contributor privileges on the target WordPress site, then create or modify a kinetic_link shortcode containing malicious attributes. Once stored, the payload executes automatically for any user who views the page. Because the flaw is stored and only requires local site privileges, the window of opportunity is constrained to compromised sites, but the impact for each affected user can be significant.

Generated by OpenCVE AI on May 27, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If the latest version is unavailable, remove or replace all instances of the kinetic_link shortcode that contain custom attributes, or disable the plugin entirely.
  • Constrain contributor‑level access by removing Permission to edit shortcodes or removing contributor roles from the site, ensuring only trusted administrators can add or edit content.
  • Check the plugin vendor’s website or the WordPress plugin repository for an updated version or official patch.

Generated by OpenCVE AI on May 27, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Thomstark
Thomstark formidable Kinetic
Wordpress
Wordpress wordpress
Vendors & Products Thomstark
Thomstark formidable Kinetic
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Formidable Kinetic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'kinetic_link' shortcode in versions up to, and including, 1.1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (notably 'window', 'class', and 'label') in the FrmKinetic::link() function, which are concatenated directly into HTML attributes of an anchor tag. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Formidable Kinetic <= 1.1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Thomstark Formidable Kinetic
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:35:27.070Z

Reserved: 2026-05-18T20:23:02.719Z

Link: CVE-2026-8871

cve-icon Vulnrichment

Updated: 2026-05-27T10:35:21.983Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:16.623

Modified: 2026-05-27T07:16:16.623

Link: CVE-2026-8871

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:07:16Z

Weaknesses