CVE-2026-8847 Overview
CVE-2026-8847 is a Stored Cross-Site Scripting (XSS) vulnerability in the Dideo plugin for WordPress, version 1.0. The flaw resides in the plugin's dideo shortcode handler, which interpolates the user-supplied id attribute directly into an HTML iframesrc attribute without escaping or sanitization. Authenticated users with contributor-level access or above can inject arbitrary JavaScript that executes in the browser of any visitor who loads the affected page. The issue is classified under CWE-79: Improper Neutralization of Input During Web Page Generation.
Critical Impact
Authenticated contributors can persist malicious scripts into WordPress posts and pages, leading to session theft, administrative account takeover, and visitor redirection when the injected content is rendered.
Affected Products
- Dideo plugin for WordPress, version 1.0
- WordPress sites permitting contributor-level user registration with the plugin installed
- Public-facing pages rendering the dideo shortcode
Discovery Timeline
- 2026-05-27 - CVE-2026-8847 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-8847
Vulnerability Analysis
The Dideo plugin registers a shortcode named dideo that embeds a video player via an HTML iframe. The shortcode handler accepts an id attribute from the post content and concatenates that value into the src attribute of the generated iframe element. Because the handler does not call WordPress escaping functions such as esc_attr() or esc_url(), attacker-controlled characters break out of the attribute context.
An attacker with contributor privileges can craft a shortcode whose id parameter contains quote characters and inline JavaScript handlers. When an editor previews or a visitor loads the page, the browser parses the injected payload as HTML and executes the script in the site's origin. This enables theft of administrator session cookies, modification of plugin settings, and pivoting to remote code execution through other privileged endpoints.
Root Cause
The root cause is missing input sanitization and missing output escaping in the dideo() shortcode callback. The plugin trusts shortcode attribute values authored by lower-privileged users and emits them into an HTML attribute context without contextual encoding, violating WordPress secure coding guidance for shortcode output.
Attack Vector
Exploitation requires an authenticated WordPress account with contributor capabilities or higher. The attacker submits a post or page containing the dideo shortcode with a malicious id value. Once the content is rendered, the payload executes for every visitor in the context of the WordPress site, satisfying the scope-changed condition reflected in the CVSS vector. No user interaction beyond loading the page is required.
No public exploitation code, proof-of-concept, or in-the-wild activity has been reported. See the Wordfence Vulnerability Report and the WordPress Plugin Code Review for the vulnerable source lines.
Detection Methods for CVE-2026-8847
Indicators of Compromise
- Posts or pages containing the [dideo] shortcode where the id attribute includes characters such as ", <, >, onerror=, or javascript:.
- Unexpected <script> tags or event handlers rendered inside iframe elements generated by the Dideo plugin.
- New or modified administrative user accounts created shortly after a contributor authored content containing the shortcode.
- Outbound browser requests from site visitors to attacker-controlled domains traceable to pages using the plugin.
Detection Strategies
- Query the WordPress wp_posts table for content matching [dideo combined with quote or angle-bracket characters in the id attribute.
- Inspect rendered page HTML for iframesrc values that contain unescaped quotes or JavaScript schemes.
- Review web access logs for contributor-account post submissions immediately followed by anonymous visits to the same URLs.
Monitoring Recommendations
- Enable WordPress audit logging to track post creation and edits performed by contributor-level accounts.
- Alert on privilege changes, plugin setting modifications, and new administrator account creation events.
- Monitor Content Security Policy (CSP) violation reports for inline script execution on pages that embed Dideo content.
How to Mitigate CVE-2026-8847
Immediate Actions Required
- Deactivate and remove the Dideo plugin until a patched release is published by the maintainer.
- Audit all existing posts and pages for the [dideo] shortcode and remove or sanitize any instances with suspicious id values.
- Restrict contributor and author account creation, and review existing low-privileged accounts for legitimacy.
- Rotate session cookies and credentials for administrative users who may have visited affected pages.
Patch Information
No vendor patch is referenced in the NVD entry at the time of publication. Site operators should monitor the WordPress plugin repository for an updated release that applies esc_url() or esc_attr() to the id shortcode attribute before rendering it into the iframesrc.
Workarounds
- Remove the Dideo plugin entirely and embed videos using the WordPress core oEmbed handler or a maintained alternative.
- Apply a Web Application Firewall (WAF) rule that blocks shortcode submissions containing quote characters or javascript: schemes in the id attribute.
- Reduce default user roles so that untrusted authors cannot publish content containing arbitrary shortcodes, or disable shortcode execution for contributor-authored posts.
- Deploy a strict Content Security Policy that disallows inline scripts and restricts iframe sources to known domains.
# Configuration example: locate vulnerable shortcode usage via WP-CLI
wp post list --post_type=any --format=ids \
| xargs -I {} wp post get {} --field=post_content \
| grep -n -E '\[dideo[^]]*id="[^"]*["<>]'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
