WordPress google-plus-name-link-popup-badge <=1.0 Authenticated Stored XSS via Shortcode Attributes (CVE-2026-8842)

Vulnerability Overview Vulnerability Name: Google+ Link Name <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes CVE ID: CVE-2026-8842 CVSS Score: 6.4 (Medium) Release Date: May 26, 2026 Last Updated: May 27, 2026 Researcher: MA-Jdoo Affected Software Software Type: Plugin Software Name: google-plus-name-link-popup-badge Affected Versions: <= 1.0 Remediation Patched: No Recommendation: No known patch is currently available. It is recommended to review the vulnerability details in depth and implement mitigation measures based on your organization's risk tolerance. Uninstalling the affected software and seeking an alternative may be necessary. Vulnerability Description The vulnerability exists in the Google+ Link Name plugin, allowing authenticated users (Contributor+ level and above) to inject malicious scripts through shortcode attributes, resulting in a Stored Cross-Site Scripting (Stored XSS) attack. Specifically, the plugin fails to properly sanitize input and escape output when processing user-provided and attributes, allowing malicious scripts to be directly embedded into the rendered HTML. References plugins.trac.wordpress.org plugins.trac.wordpress.org Additional Information API Access: The Wordfence Intelligence Vulnerability Database API is completely free for both personal and commercial use. Business Hours: 9am-8pm ET, 6am-5pm PT, and 2pm-1am UTC/GMT (excluding weekends and holidays). Response Time: 24-hour support, year-round, with a 1-hour response time. Footer Information Copyright: © 2012-2026 Defiant Inc. All Rights Reserved Social Media: Twitter, Facebook, LinkedIn, Instagram Contact: you@example.com Summary This vulnerability is a Stored Cross-Site Scripting (Stored XSS) issue affecting versions <= 1.0 of the Google+ Link Name plugin. There are currently no known patches available; it is recommended to implement mitigation measures or uninstall the affected plugin.

Goal Reached Thanks to every supporter — we hit 100%!

WordPress google-plus-name-link-popup-badge <=1.0 Authenticated Stored XSS via Shortcode Attributes (CVE-2026-8842)

More from this source