CVE-2026-8701 is a stored cross-site scripting vulnerability in the GNTT Post Title Ticker WordPress plugin version 1.0. The issue stems from insufficient input sanitization and output escaping of shortcode attributes within the functions gntt_title_ticker_slide(), gntt_title_ticker_fade(), and gntt_title_ticker_typing(). Attributes including border, width, height, header_background, header_text_color, and id are concatenated directly into HTML output without escaping (e.g., esc_attr()), allowing authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript. This script executes whenever a user accesses a page containing the injected shortcode, potentially leading to session hijacking or other client-side attacks. The vulnerability has a CVSS 3.1 base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and partial impact on confidentiality and integrity.

An attacker with contributor-level or higher access can inject persistent malicious scripts into pages using vulnerable shortcodes. These scripts execute in the context of users viewing the page, potentially leading to theft of cookies, session tokens, or other sensitive information. The vulnerability affects confidentiality and integrity but does not impact availability. Because the vulnerability requires authenticated access, the risk is limited to environments where untrusted users have contributor or higher roles.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict contributor-level access to trusted users only. Avoid using the vulnerable shortcodes or remove the GNTT Post Title Ticker plugin if possible. Monitor for plugin updates that address this issue and apply them promptly when available.