Description
The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animation-set' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_args_to_html_attrs() function, which concatenates shortcode attribute values directly into double-quoted HTML attributes without calling esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Animate Your Content plugin for WordPress contains a stored cross‑site scripting flaw that enables attackers with contributor‑level or higher privileges to inject arbitrary scripts through the animation‑set shortcode. The vulnerability arises because user‑supplied attribute values are concatenated directly into double‑quoted HTML attributes without proper sanitization or escaping. When a page containing the malicious shortcode is viewed, the injected script runs in the victim's browser.

Affected Systems

Any WordPress site running the Animate Your Content plugin by fides‑it with a version of 1.0.0 or earlier is affected. Site administrators should inventory the plugin version on their sites and evaluate whether any user accounts possess contributor or higher capabilities that could be used to create or edit content containing the animation‑set shortcode.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The EPSS score is not available, so the likelihood of exploitation is unknown. The vulnerability is not listed in CISA’s KEV catalog. Attackers must first authenticate to the WordPress site with at least contributor privileges to add or modify content containing the malicious shortcode. Once injected, the script executes each time a visitor loads the affected page, providing the attacker with the ability to run client‑side code in the context of the site’s visitors.

Generated by OpenCVE AI on May 27, 2026 at 07:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Animate Your Content to a version newer than 1.0.0 to eliminate the flaw.
  • If an upgrade cannot be performed immediately, remove the animation‑set shortcode from existing content or restrict contributor privileges so no users can insert that shortcode.
  • If the plugin must remain active, consider disabling it on publicly accessible pages until the patch is applied.

Generated by OpenCVE AI on May 27, 2026 at 07:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Fides-it
Fides-it animate Your Content
Wordpress
Wordpress wordpress
Vendors & Products Fides-it
Fides-it animate Your Content
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animation-set' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_args_to_html_attrs() function, which concatenates shortcode attribute values directly into double-quoted HTML attributes without calling esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Animate Your Content <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Fides-it Animate Your Content
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:35:54.553Z

Reserved: 2026-05-18T20:24:30.950Z

Link: CVE-2026-8872

cve-icon Vulnrichment

Updated: 2026-05-27T10:35:49.424Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:16.743

Modified: 2026-05-27T07:16:16.743

Link: CVE-2026-8872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:07:19Z

Weaknesses