Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes ('title', 'align', and 'width') in the tuxquote_build_format() function, which are concatenated into the rendered HTML without being passed through esc_attr() or esc_html(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Tuxquote WordPress plugin (versions up to and including 1.3) enables authenticated attackers holding Contributor-level access or above to inject persistent malicious scripts into WordPress pages via unsanitized shortcode attributes. The tuxquote_build_format() function concatenates user-supplied title, align, and width attributes from the TUXQUOTE shortcode directly into rendered HTML without passing them through WordPress's built-in esc_attr() or esc_html() escaping functions, allowing the payload to persist and execute in any visitor's browser. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) reflects minimal real-world exploitation activity to date.
Technical ContextAI
The vulnerability exists within the tuxquote_build_format() PHP function in the Tuxquote plugin, with the flawed logic traceable to tuxquote.php lines L81 and L91 in the 1.3 tagged release (visible via the WordPress plugin Trac browser). The TUXQUOTE shortcode accepts three user-controlled HTML attributes - title, align, and width - which are interpolated directly into the HTML output string without sanitization. WordPress provides esc_attr() for safe attribute-context output and esc_html() for element-content output; omitting these functions is the canonical CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting) pattern. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:C confirms Changed Scope, meaning the injected payload executes in the browser context of a different user (the victim), not the attacker - characteristic of stored XSS where the attacker writes the payload once and any subsequent page visitor triggers execution. The Changed Scope component is what elevates the score to 6.4 Medium despite Limited confidentiality and integrity impact ratings.
RemediationAI
No vendor-released patch has been identified at time of analysis - the NVD references point only to the vulnerable 1.3 source code and the Wordfence advisory, with no patched release version cited. Administrators should immediately check the WordPress plugin repository for a Tuxquote version greater than 1.3 and upgrade if one has been published; consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/7ea6079f-45a1-438f-890f-36457b7468ec for the most current remediation status. If no patched version is available, deactivating and removing the Tuxquote plugin eliminates the attack surface entirely at the cost of losing its quote-display shortcode functionality. As a compensating control, auditing and restricting Contributor-level account assignments reduces the pool of users who could exploit this vulnerability; sites should avoid open public contributor registration. Deploying a WordPress WAF such as Wordfence with XSS filtering rules can intercept malicious shortcode attribute payloads in transit, though this is not a substitute for patching and may interfere with legitimate shortcode usage if rules are overly broad.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32078
GHSA-283c-73pv-x3j2