MEDIUM 6.4

CVE-2026-8885: DeMomentSomTres Shortcodes WordPress Plugin Stored XSS Vulnerability

The DeMomentSomTres Shortcodes plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in its 'callout' shortcode feature. An authenticated user with contributor-level permissions or higher can inject malicious JavaScript code through the 'width' and 'align' shortcode parameters. Because the plugin fails to properly sanitize and escape these inputs, the injected code executes whenever any visitor views the affected page. This creates a persistent threat that compromises site visitors, not just the page editor.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

The DeMomentSomTres Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'callout' shortcode in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on the 'width' and 'align' shortcode attributes within the st_callout() function, which concatenates the attribute values directly into an HTML style attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the st_callout() function within the DeMomentSomTres Shortcodes plugin (versions up to 1.1.1). The function concatenates the 'width' and 'align' shortcode attributes directly into HTML style attributes without sanitization or escaping. An authenticated attacker with contributor access or above can craft a malicious shortcode containing JavaScript that will be stored in the page content and executed in the browser context of any user viewing that page. The CVSS 3.1 score of 6.4 (Medium) reflects network accessibility, low attack complexity, and the requirement for authentication, balanced against limited confidentiality and integrity impact with no availability impact.

Business impact

Sites using this plugin are exposed to session hijacking, credential theft, malware distribution, and defacement via stored XSS. Since the attack requires only contributor-level access, any editor or author on the site becomes a potential attack vector—either through compromised credentials or insider threat. The persistent nature means malicious code remains active until manually removed, potentially affecting all site visitors during that window. For multi-user WordPress installations, this significantly expands the attack surface.

Affected systems

Any WordPress installation running DeMomentSomTres Shortcodes plugin version 1.1.1 or earlier is affected. The vulnerability requires authentication and contributor-level or higher role assignment, so it does not affect sites where contributor access is tightly restricted. Public and private WordPress networks are equally at risk if the plugin is installed.

Exploitability

Exploitation requires valid WordPress user credentials with contributor-level permissions or above. An attacker must already have or obtain authenticated access to the WordPress admin panel. While this requirement raises the barrier compared to unauthenticated exploits, many WordPress sites operate with looser credential management or multiple editors, making this a practical threat. No special tools or techniques are needed; a basic understanding of WordPress shortcodes and HTML/JavaScript suffices. The CVSS vector reflects this by assigning a Low privilege requirement impact, not None.

Remediation

Update the DeMomentSomTres Shortcodes plugin immediately to a patched version beyond 1.1.1 once available, or disable and remove the plugin if no patch is forthcoming. In the interim, restrict contributor-level access to trusted users only, and audit existing pages for suspicious 'callout' shortcodes. Consider using a Web Application Firewall (WAF) rule to detect and block inline script injection in shortcode parameters.

Patch guidance

Verify against the official DeMomentSomTres plugin repository or vendor advisory for the release date and version number of the patch addressing this vulnerability. Apply the update as soon as it becomes available. If you manage a hosted WordPress environment, prioritize this update in your patching schedule due to the stored XSS persistence. Test the update in a staging environment before deploying to production to ensure compatibility with existing shortcodes and site functionality.

Detection guidance

Audit your WordPress database for 'callout' shortcodes containing suspicious 'width' or 'align' attribute values, particularly those that include script tags, event handlers (onclick, onerror, onload), or encoded JavaScript. WordPress security plugins that scan post content for XSS patterns can help identify compromised pages. Monitor user activity logs for unusual shortcode edits by contributor-level accounts, and enable logging on sensitive content revisions. Check site visitor browser logs for unexpected console errors or blocked script warnings.

Why prioritize this

Although the CVSS score is Medium (6.4), this vulnerability merits priority attention because stored XSS directly endangers all site visitors, not just administrators. The attack persists until remediated, and the barrier to entry—authenticated contributor access—is present on most multi-user WordPress sites. Organizations managing WordPress installations with multiple editors should prioritize patching to prevent credential compromise or insider abuse. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a perennial attack vector.

Risk score, explained

The CVSS 3.1 score of 6.4 reflects: Network-based attack vector (accessible remotely), low attack complexity (no special conditions), requirement for authentication (not exploitable by unauthenticated users), and scope change (the injected script affects other users, not just the attacker's session). The Low confidentiality and integrity impact assumes the attacker cannot directly access or modify sensitive data but can view or alter page content visible to others. The score does not account for organizational context—sites with strict role management face lower practical risk than those with permissive contributor access.

Frequently asked questions

Can this vulnerability be exploited without WordPress user credentials?

No. The vulnerability requires valid authentication with at least contributor-level access. Unauthenticated attackers cannot inject malicious shortcodes. However, compromised credentials or weak access controls can enable exploitation.

Does updating WordPress core protect against this vulnerability?

No. This is a plugin-specific vulnerability in DeMomentSomTres Shortcodes, not in WordPress core. You must update the plugin itself. WordPress core updates do not patch third-party plugin vulnerabilities.

What happens if I simply deactivate the plugin instead of updating it?

Deactivating the plugin stops it from running, but any previously injected malicious shortcodes remain in your page content and may cause display issues or broken styling. Completely removing the plugin and cleaning compromised pages is the safest approach while awaiting a patch.

Can I use a security plugin to prevent this attack?

Security plugins can help detect and block some XSS attempts and alert you to suspicious page edits, but they are not a substitute for patching. Update the vulnerable plugin and use security tools as a defense-in-depth layer, not as a primary control.

This analysis is provided for informational purposes and does not constitute professional security advice. Verify all technical details, patch availability, and version numbers against the official DeMomentSomTres plugin repository and vendor advisories before taking action. SEC.co makes no guarantees regarding the completeness or accuracy of vulnerability information. Organizations should conduct their own risk assessment in the context of their environment, access controls, and security posture. Always test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).