Skip to main content

Tuxquote WordPress Plugin EUVDEUVD-2026-32078

| CVE-2026-8846 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-27 security@wordfence.com GHSA-283c-73pv-x3j2
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 21:59 vuln.today
CVE Published
May 27, 2026 - 07:16 nvd
MEDIUM 6.4

DescriptionCVE.org

The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes ('title', 'align', and 'width') in the tuxquote_build_format() function, which are concatenated into the rendered HTML without being passed through esc_attr() or esc_html(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Tuxquote WordPress plugin (versions up to and including 1.3) enables authenticated attackers holding Contributor-level access or above to inject persistent malicious scripts into WordPress pages via unsanitized shortcode attributes. The tuxquote_build_format() function concatenates user-supplied title, align, and width attributes from the TUXQUOTE shortcode directly into rendered HTML without passing them through WordPress's built-in esc_attr() or esc_html() escaping functions, allowing the payload to persist and execute in any visitor's browser. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) reflects minimal real-world exploitation activity to date.

Technical ContextAI

The vulnerability exists within the tuxquote_build_format() PHP function in the Tuxquote plugin, with the flawed logic traceable to tuxquote.php lines L81 and L91 in the 1.3 tagged release (visible via the WordPress plugin Trac browser). The TUXQUOTE shortcode accepts three user-controlled HTML attributes - title, align, and width - which are interpolated directly into the HTML output string without sanitization. WordPress provides esc_attr() for safe attribute-context output and esc_html() for element-content output; omitting these functions is the canonical CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting) pattern. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:C confirms Changed Scope, meaning the injected payload executes in the browser context of a different user (the victim), not the attacker - characteristic of stored XSS where the attacker writes the payload once and any subsequent page visitor triggers execution. The Changed Scope component is what elevates the score to 6.4 Medium despite Limited confidentiality and integrity impact ratings.

RemediationAI

No vendor-released patch has been identified at time of analysis - the NVD references point only to the vulnerable 1.3 source code and the Wordfence advisory, with no patched release version cited. Administrators should immediately check the WordPress plugin repository for a Tuxquote version greater than 1.3 and upgrade if one has been published; consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/7ea6079f-45a1-438f-890f-36457b7468ec for the most current remediation status. If no patched version is available, deactivating and removing the Tuxquote plugin eliminates the attack surface entirely at the cost of losing its quote-display shortcode functionality. As a compensating control, auditing and restricting Contributor-level account assignments reduces the pool of users who could exploit this vulnerability; sites should avoid open public contributor registration. Deploying a WordPress WAF such as Wordfence with XSS filtering rules can intercept malicious shortcode attribute payloads in transit, though this is not a substitute for patching and may interfere with legitimate shortcode usage if rules are overly broad.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-32078 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy