MEDIUM 6.4

CVE-2026-8895: WordPress kk Blog Card Plugin Stored XSS Vulnerability

A WordPress plugin called 'kk blog card' contains a security flaw that allows contributors and higher-level users to embed malicious scripts into pages. When someone visits a page with the injected code, the script runs automatically in their browser. The vulnerability exists in versions 1.3 and earlier, and stems from the plugin not properly filtering user input before inserting it into HTML code.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

The kk blog card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blog-card' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on the shortcode's 'href' and 'type' attributes, which are concatenated directly into HTML attribute contexts in the shortcode callback registered in kk-blog-card-shortcode.php. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-8895 is a Stored Cross-Site Scripting (XSS) vulnerability in the kk blog card WordPress plugin affecting versions up to 1.3. The flaw resides in the 'blog-card' shortcode handler (kk-blog-card-shortcode.php), where the 'href' and 'type' shortcode attributes are concatenated directly into HTML attribute contexts without proper sanitization on input or escaping on output. This CWE-79 violation allows authenticated users with contributor-level permissions or above to craft malicious shortcode attributes that persist in the database and execute as arbitrary JavaScript when pages are rendered for any user.

Business impact

Organizations running the kk blog card plugin face a moderate but meaningful risk. Malicious contributors can deface pages, capture user credentials, redirect readers to phishing sites, or install malware. The attack requires contributor access, limiting the threat to internal or trusted user bases—but compromised contributor accounts or disgruntled staff can cause damage at scale. Content integrity and user trust are at stake, particularly if the affected WordPress instance publishes sensitive or commercially important content.

Affected systems

Any WordPress installation using the kk blog card plugin in version 1.3 or earlier is vulnerable. The attack surface is limited to authenticated users with contributor-level access or administrative roles. Unpatched sites with lax access controls or shared contributor accounts face elevated exposure.

Exploitability

Exploitation requires valid WordPress credentials at contributor level or higher—a meaningful barrier that rules out opportunistic attacks from the public internet. However, once an attacker gains such access (through phishing, credential reuse, or insider threat), injecting malicious code into the blog-card shortcode is trivial and requires no advanced skills. The payload persists in the database, ensuring reliable execution whenever the page is viewed. No user interaction beyond normal site browsing is needed to trigger the attack.

Remediation

Update the kk blog card plugin to a patched version that implements proper input sanitization and HTML attribute escaping for the 'href' and 'type' shortcode parameters. Verify the fix against the plugin's official repository or vendor advisory before deploying. Additionally, audit recent posts and pages for suspicious shortcode modifications, review contributor account activity logs, and consider tightening contributor permissions if not strictly necessary.

Patch guidance

Check the kk blog card plugin's official WordPress repository or the vendor's website for a version newer than 1.3 that addresses this flaw. Apply the update through WordPress's plugin management interface once available and verified. Before updating, back up the database and test in a staging environment to confirm no functional regressions. After patching, scan existing content for any injected shortcodes using WordPress security plugins or manual code review of high-traffic pages.

Detection guidance

Examine database entries and page content for unexpected or anomalous 'blog-card' shortcodes, particularly those containing JavaScript event handlers (onclick, onerror) or unusual href values. Check WordPress audit logs and contributor edit history for suspicious modifications to pages or posts containing the blog-card shortcode. Security plugins offering shortcode scanning or XSS detection may flag such payloads. Monitor for unexpected JavaScript execution or console errors on pages suspected of containing injected code.

Why prioritize this

Although the CVSS score of 6.4 is medium and the vulnerability requires authentication, the ease of exploitation for authorized users, persistent storage of payloads, and potential for wide-ranging user harm justify prompt patching. Organizations should prioritize this update for any WordPress instances where the kk blog card plugin is active and where contributor access is granted to multiple users or where account compromise is a credible risk.

Risk score, explained

The CVSS 3.1 score of 6.4 (Medium) reflects a network-accessible vulnerability with low attack complexity and low privilege requirements (contributor level), combined with scope change and low impact to confidentiality and integrity. The score does not account for attack likelihood (requires existing privileges) or the high cost of exploitation to an attacker seeking broad impact; the medium rating appropriately balances the relative ease of exploitation post-access against the access barrier itself.

Frequently asked questions

Does this vulnerability affect non-contributor users?

No. Attackers must possess valid WordPress credentials with contributor-level access or above to inject malicious shortcodes. End users and viewers cannot exploit the flaw directly, but they are the targets of the injected scripts once malicious content is published.

What should I do if I cannot update the plugin immediately?

Restrict contributor access to trusted team members only, disable the blog-card shortcode via code or a security plugin if not actively used, and monitor pages for unauthorized shortcode modifications. Consider temporarily switching to an alternative, well-maintained blog card plugin until a patch is available.

How can I tell if this vulnerability has been exploited on my site?

Review the edit history of recently modified pages in WordPress and search page/post content for suspicious blog-card shortcodes containing event handlers or encoded JavaScript. Query the database directly for shortcodes with unusual href or type values. A WordPress security scanner or manual audit of high-visibility pages offers the best assurance.

Is this vulnerability being actively exploited in the wild?

This vulnerability was not added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of the last update. However, the low barrier to exploitation for anyone with contributor access means targeted attacks within organizations remain a credible concern regardless of broader threat activity.

This analysis is provided for informational purposes to help security teams understand and respond to CVE-2026-8895. The details herein are based on the publicly disclosed vulnerability information available as of the publication date. Patch versions, KEV status, and vendor advisories may change; always consult the official plugin repository and vendor documentation for the latest guidance. SEC.co does not provide liability guarantees or endorsement of any specific security tools or remediation procedures. Organizations are responsible for verifying all technical claims against their own environments and the vendor's official channels before implementing changes. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).