cleantalk
Vulnerabilities and Security Researches

Extra Settings for RocketChat, CVE-2026-8841

CVE, Research URL

CVE-2026-8841

Home page URL

Security reports for Extra Settings for RocketChat

Application

Extra Settings for RocketChat

Published on
Jun 09, 2026
Research Description
The Extra Settings for RocketChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rocketchat' shortcode's 'title' attribute in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping in the rxstg_shortcode() function, which concatenates the user-supplied 'title' attribute directly into HTML output. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 0.1.
Status
vulnerable
Previous vulnerability researches
WpMobi (CVE-2026-8909) , Jun 10, 2026
Mobile Plugin (CVE-2025-26563) , Feb 22, 2025
WordPress Mobile Themes (CVE-2025-28881) , Mar 13, 2025
New vulnerability
Helpfulcrowd Product Reviews (CVE-2026-8499) , Jun 11, 2026
Global Body Mass Index Calculator (CVE-2026-8883) , Jun 11, 2026
6Storage Rentals (CVE-2026-9185) , Jun 11, 2026
WP Travel Engine – Best Travel Booking WordPress Plugin (CVE-2026-49770) , Jun 11, 2026
cformsII (CVE-2026-39435) , Jun 11, 2026