cleantalk
Vulnerabilities and Security Researches

Animate Your Content, CVE-2026-8872

CVE, Research URL

CVE-2026-8872

Home page URL

Security reports for Animate Your Content

Application

Animate Your Content

Published on
May 27, 2026
Research Description
The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animation-set' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_args_to_html_attrs() function, which concatenates shortcode attribute values directly into double-quoted HTML attributes without calling esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.0.0.
Status
vulnerable
Previous vulnerability researches
Geo Mashup (CVE-2026-27427) , May 28, 2026
Geo Mashup (CVE-2026-2416) , Apr 15, 2026
Geo Mashup (CVE-2018-14071) , Jun 07, 2024
Geo Mashup (CVE-2015-1383) , Jun 07, 2024
Geo Mashup (CVE-2022-4974) , Nov 15, 2024
New vulnerability
Livemesh SiteOrigin Widgets (CVE-2026-3896) , May 28, 2026
SMTP2GO for WordPress – Email Made Easy (CVE-2026-7621) , May 28, 2026
Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks (CVE-2026-42728) , May 28, 2026
Events In City (CVE-2026-8898) , May 28, 2026
ElementsKit Elementor addons (CVE-2026-49052) , May 28, 2026