Description
The kk blog card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blog-card' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on the shortcode's 'href' and 'type' attributes, which are concatenated directly into HTML attribute contexts in the shortcode callback registered in kk-blog-card-shortcode.php. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-09
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kk blog card plugin for WordPress contains stored cross-site scripting vulnerabilities in its 'blog-card' shortcode. Shortcode attributes 'href' and 'type' are concatenated directly into HTML without sufficient sanitisation or escaping, allowing an authenticated contributor or higher-privilege user to inject arbitrary JavaScript that is then stored and rendered whenever the injected page is accessed.

Affected Systems

The vulnerability exists in all versions of the kk blog card plugin up to and including 1.3. It affects WordPress sites that have installed this plugin, regardless of the WordPress core version, and requires at least contributor-level permissions to create or edit content that contains the shortcode.

Risk and Exploitability

With a CVSS score of 6.4, the flaw is considered moderate severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Attackers must be authenticated and possess contributor or higher privileges; once compromised, they can inject scripts that will execute in the browsers of all users who view the affected page. The fact that the injection is stored increases the persistence and potential impact, making the risk high if the site’s user base is significant.

Generated by OpenCVE AI on June 9, 2026 at 05:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kk blog card plugin to the latest released version that contains the fix for the stored XSS vulnerability.
  • If an upgrade is not immediately possible, remove or disable the 'blog-card' shortcode from the site’s content or from the plugin’s code to eliminate the attack surface.
  • Implement additional input sanitisation for the 'href' and 'type' shortcode attributes by ensuring they are processed with WordPress functions such as esc_url() and esc_attr() so that any future content added via the shortcode is safely escaped.

Generated by OpenCVE AI on June 9, 2026 at 05:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Kenz60
Kenz60 kk Blog Card
Wordpress
Wordpress wordpress
Vendors & Products Kenz60
Kenz60 kk Blog Card
Wordpress
Wordpress wordpress

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description The kk blog card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blog-card' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on the shortcode's 'href' and 'type' attributes, which are concatenated directly into HTML attribute contexts in the shortcode callback registered in kk-blog-card-shortcode.php. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title kk blog card <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Kenz60 Kk Blog Card
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-09T16:02:46.631Z

Reserved: 2026-05-18T21:01:25.804Z

Link: CVE-2026-8895

cve-icon Vulnrichment

Updated: 2026-06-09T16:02:42.144Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T05:16:40.027

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-8895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:55:54Z

Weaknesses