Skip to main content

Mir Blocks And Shortcodes

1 CVEs product

Monthly

CVE-2026-8896 MEDIUM This Month

Stored Cross-Site Scripting in the Mir Blocks and Shortcodes WordPress plugin (versions up to and including 1.0.0) allows authenticated attackers with contributor-level access to permanently inject arbitrary JavaScript into pages via unsanitized shortcode attributes - specifically the 'title' and 'ready_animation_text' parameters of the msc_stats() rendering function. Any site visitor who loads an injected page executes the attacker's script in their browser, enabling session theft, credential harvesting, or in-page content manipulation. No public exploit or CISA KEV listing is confirmed at time of analysis, but the low privilege requirement (contributor) makes this accessible to a broad class of registered WordPress users.

XSS WordPress Mir Blocks And Shortcodes
NVD
CVSS 3.1
6.4
EPSS
0.2%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Mir Blocks and Shortcodes WordPress plugin (versions up to and including 1.0.0) allows authenticated attackers with contributor-level access to permanently inject arbitrary JavaScript into pages via unsanitized shortcode attributes - specifically the 'title' and 'ready_animation_text' parameters of the msc_stats() rendering function. Any site visitor who loads an injected page executes the attacker's script in their browser, enabling session theft, credential harvesting, or in-page content manipulation. No public exploit or CISA KEV listing is confirmed at time of analysis, but the low privilege requirement (contributor) makes this accessible to a broad class of registered WordPress users.

XSS WordPress Mir Blocks And Shortcodes
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy