MEDIUM 6.4

CVE-2026-8841: Extra Settings for RocketChat WordPress Plugin Stored XSS Vulnerability

The Extra Settings for RocketChat plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in versions up to 0.1. A WordPress user with contributor-level permissions or higher can craft a malicious 'title' attribute in the 'rocketchat' shortcode to inject JavaScript code into a page. When other users visit that page, the injected script executes in their browser within the site's context, potentially allowing the attacker to steal credentials, perform actions on their behalf, or deface content.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

The Extra Settings for RocketChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rocketchat' shortcode's 'title' attribute in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping in the rxstg_shortcode() function, which concatenates the user-supplied 'title' attribute directly into HTML output. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-8841 is a stored XSS vulnerability residing in the rxstg_shortcode() function of the Extra Settings for RocketChat WordPress plugin. The vulnerability stems from unsafe handling of the 'title' shortcode attribute: user input is concatenated directly into HTML output without proper sanitization or escaping. The attack requires authenticated access at the contributor level or above, making it dependent on either a compromised lower-privileged account or an insider threat. Because the malicious payload persists in the page content (stored XSS rather than reflected), it affects any subsequent visitor regardless of intent, creating a potentially long-lived attack surface.

Business impact

A compromised or malicious contributor can persistently inject malicious scripts into public or private pages, risking defacement, credential theft, or redirection of users to phishing sites. For organizations using RocketChat integration through WordPress, this expands the attack surface beyond direct RocketChat infrastructure to the wider WordPress ecosystem. Reputational damage, compliance violations (especially in regulated industries), and user trust erosion are tangible concerns if such an injection goes undetected.

Affected systems

WordPress installations with the Extra Settings for RocketChat plugin, version 0.1 and earlier. The vulnerability is limited to installations where contributors or higher-privileged users exist; it does not affect subscriber-only or read-only deployments. Organizations relying on this plugin for chat integration should immediately verify their plugin version and contributor roster.

Exploitability

Exploitation requires valid WordPress credentials with at least contributor-level access. No network authentication bypass, zero-day chain, or public exploit code is known to exist. The CVSS score of 6.4 (Medium) reflects the privilege requirement, though the cross-site nature (scope change) and dual impact on confidentiality and integrity elevate it beyond a simple low-privilege XSS. An attacker with legitimate contributor status or one who compromises such an account can exploit this with minimal technical skill—simply adding a shortcode attribute.

Remediation

Immediately update the Extra Settings for RocketChat plugin to a version later than 0.1 (verify the patched version against the official WordPress plugin repository or vendor advisory). Conduct a manual audit of recent page revisions to identify and remove any suspicious 'rocketchat' shortcodes. Review contributor and editor user accounts for unauthorized activity or suspicious login patterns. As a temporary mitigation, restrict contributor-level permissions to trusted individuals only and audit all page content published by contributors in the past 30 days.

Patch guidance

Update to the latest available version of the Extra Settings for RocketChat plugin. Verify the patched version number from the official WordPress plugin repository or the vendor's security advisory. After updating, test the plugin's shortcode functionality to ensure no regressions. Consider implementing automated plugin update policies to reduce the window of exposure for future vulnerabilities.

Detection guidance

Search your WordPress database for instances of the 'rocketchat' shortcode with unusual or suspicious 'title' attributes (e.g., those containing script tags, event handlers like onload, or encoded payloads). Monitor WordPress user activity logs for new page or post revisions created by contributors around the publication date of this CVE. Implement Web Application Firewalls (WAF) rules to detect and block common XSS payloads in HTTP requests to your WordPress site. Consider using WordPress security plugins that scan for malicious shortcode content.

Why prioritize this

This vulnerability merits prompt attention despite its Medium CVSS score because it enables persistent content injection across your entire WordPress audience. Unlike reflected XSS, stored XSS affects visitors indiscriminately and can remain undetected for long periods. The broad scope (cross-site execution) and dual impact on confidentiality and integrity compound the risk. Organizations with strict security posture or compliance requirements should treat this as high-priority; others should schedule patching within 2–4 weeks.

Risk score, explained

The CVSS 3.1 score of 6.4 reflects: (1) Network-adjacent attack vector (any online attacker with credentials can trigger it), (2) Low attack complexity (shortcode syntax is straightforward), (3) Low privilege requirement (contributor access is easily granted in many WordPress setups), (4) No user interaction needed (stored payload executes automatically), (5) Scope change (XSS impacts other users, not just the attacker), and (6) Partial impact on confidentiality and integrity (session hijacking, data theft, content manipulation possible but not system-wide). The absence of availability impact and requirement for valid credentials prevent a higher score.

Frequently asked questions

Does this vulnerability affect my site if I don't use the RocketChat plugin?

No. This vulnerability is exclusive to the Extra Settings for RocketChat plugin. If you don't have it installed, you are not at risk from this CVE. Check your WordPress plugins list to confirm.

What if I've already updated to the latest version? Do I need to check my pages?

Yes. Updating stops future exploitation but does not remove existing malicious payloads already injected into pages. Conduct a manual review of recent page revisions, particularly those edited by contributors around the time this CVE was disclosed (June 2026 onward), and remove any suspicious shortcodes.

Can an attacker exploit this without a WordPress account?

No. This vulnerability requires valid WordPress credentials with at least contributor-level access. Public-facing websites with open user registration are at higher risk if registration is unrestricted, but exploitation still requires account activation and promotion to contributor status.

How long has this vulnerability been in the wild?

The vulnerability affects versions up to 0.1. Without knowing the plugin's release history, we cannot determine how long it has existed. The CVE was published on 2026-06-09. Monitor your site logs and page revisions for suspicious activity dating back several months to be safe.

This analysis is provided for informational purposes and should not be construed as legal, financial, or professional security advice. Organizations should validate all remediation recommendations against their own environment, threat model, and compliance obligations before implementation. Patch availability and version numbers should be confirmed directly with the plugin vendor or official WordPress repository. SEC.co makes no warranty regarding the completeness or accuracy of this assessment relative to future disclosures or vendor communications. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).