cleantalk
Vulnerabilities and Security Researches

Faces of Users, CVE-2026-8038

CVE, Research URL

CVE-2026-8038

Home page URL

Security reports for Faces of Users

Application

Faces of Users

Published on
May 20, 2026
Research Description
The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in the 'facesofusers' shortcode in all versions up to, and including, 0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 0.0.3.
Status
vulnerable
Previous vulnerability researches
Buooy Sticky Header (CVE-2024-51699) , Nov 08, 2024
New vulnerability
Logo Manager For Enamad (CVE-2026-6549) , May 23, 2026
Sentence To SEO (keywords, description and tags) (CVE-2026-6391) , May 23, 2026
Oliver POS – A WooCommerce Point of Sale (POS) (CVE-2026-6072) , May 23, 2026
Amazon Scraper (CVE-2026-8419) , May 23, 2026
WPB Floating Menu or Categories – Sticky Floating Side Menu & Categories with Icons (CVE-2026-4811) , May 23, 2026