DeMomentSomTres Shortcodes Plugin Vulnerability (CVE-2026-8885)

Security Alert Summary

The DeMomentSomTres Shortcodes plugin for WordPress is vulnerable to stored cross-site scripting (XSS) in the plugin’s callout shortcode. Authenticated attackers with contributor-level access or higher can supply crafted values for shortcode attributes that are concatenated into an HTML style attribute without proper sanitization or escaping, allowing arbitrary scripts to be stored and executed when an affected page is viewed.

CVE Details

• CVE ID: CVE-2026-8885
• Affected component: DeMomentSomTres Shortcodes plugin for WordPress
• Affected versions: All versions up to and including 1.1.1
• Published: June 2, 2026 at 9:16:16 AM
• Last modified: June 2, 2026 at 1:03:31 PM
• CVSS v3.1 base score: 6.4 (MEDIUM)
• CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
• Authentication / privileges / user interaction: Network attack vector; low privileges required (authenticated contributor-level or above); no user interaction required
• Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
• Weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-site Scripting)

Technical Details

The vulnerability is a stored cross-site scripting issue originating in the plugin’s st_callout() function. Specifically, the width and align shortcode attributes are concatenated directly into an HTML style attribute without sufficient input sanitization or output escaping. Because the values are stored as part of page content via the shortcode, an authenticated user with contributor-level access or higher can inject script content that will be saved and later executed in the context of any visitor who views the injected page.

The root cause is insufficient validation and escaping of shortcode attribute values before inserting them into HTML output. The description identifies the exact attributes (width and align) and the responsible function (st_callout()) where the unsafe concatenation occurs.

How This Could Impact Your Website

In a typical WordPress site with multiple users, a contributor or higher could create or edit page content that includes the vulnerable callout shortcode. When that page is saved, the injected script would run whenever other users or visitors view the page. Practical consequences include exposure of internal user data (for example, content or email addresses visible on pages), and an increased risk of targeted phishing or social engineering directed at staff or contractors who access affected pages.

Example scenario: an external contractor with contributor access adds a styled callout using the shortcode. Because the width and align attributes are not safely handled, the contractor’s input stores a script that captures form fields or session-visible data when editors or administrators view the page, enabling information collection that could be used for follow-up phishing.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles; limit contributor-level access where possible.
• Enforce strong passwords and enable two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins from your site.
• Monitor site activity and logs for unusual behavior, including unexpected content changes or new pages.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team is happy to help.

References

• https://plugins.trac.wordpress.org/browser/demomentsomtres-shortcodes/trunk/demomentsomtres-shortcodes.php#L163
• https://plugins.trac.wordpress.org/browser/demomentsomtres-shortcodes/trunk/demomentsomtres-shortcodes.php#L173
• https://www.wordfence.com/threat-intel/vulnerabilities/id/8f09f239-dd6e-4fc0-b656-f8c73b7e9022?source=cve