Description
The hk_shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title-plane' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the huankong_post_short_title_plane() function, where the 'title' attribute is concatenated directly into HTML output without any escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The hk_shortcode plugin for WordPress allows storage of cross‑site scripting via the 'title-plane' shortcode. An insufficiently sanitized 'title' attribute is directly concatenated into HTML output. Authenticated users with contributor-level access or higher can embed arbitrary JavaScript that runs in the browsers of anyone who views the affected page.

Affected Systems

The vulnerability affects the WordPress plugin hk_shortcode developed by huankong. Versions up to and including 1.0 are impacted. Any WordPress installation that employs this plugin and has users with contributor role can be exploited.

Risk and Exploitability

The CVSS score of 6.4 indicates medium‑to‑high severity, while the EPSS score is not available, making the exploitation frequency unclear. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access with contributor privileges; an attacker can inject arbitrary JavaScript that will execute whenever a visitor accesses a page containing the injected shortcode. The impact is that any user who views the affected page will run the injected script in their browser. No specific downstream effects are detailed in the CVE description. The attack remains feasible whenever the plugin is active.

Generated by OpenCVE AI on May 27, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade hk_shortcode to the latest version that correctly sanitizes shortcode attributes, or if no update exists, remove or disable the plugin.
  • Restrict contributor‑level users from adding or editing content that contains the 'title-plane' shortcode, or enforce stricter role capabilities to prevent such injections.
  • As an interim fix, modify the plugin's shortcode.php file to escape the 'title' attribute—e.g., wrap the value in wp_kses() or esc_html()—before concatenation.

Generated by OpenCVE AI on May 27, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Huankong
Huankong hk Shortcode
Wordpress
Wordpress wordpress
Vendors & Products Huankong
Huankong hk Shortcode
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The hk_shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title-plane' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the huankong_post_short_title_plane() function, where the 'title' attribute is concatenated directly into HTML output without any escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title hk_shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Huankong Hk Shortcode
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:31:59.518Z

Reserved: 2026-05-18T20:36:54.922Z

Link: CVE-2026-8886

cve-icon Vulnrichment

Updated: 2026-05-27T10:31:54.436Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:17.363

Modified: 2026-05-27T07:16:17.363

Link: CVE-2026-8886

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:06:52Z

Weaknesses