CVE-2026-8846 is a stored cross-site scripting vulnerability in the eldougo Tuxquote WordPress plugin, affecting versions up to and including 1.3. The vulnerability arises from insufficient input sanitization and output escaping of user-controlled attributes ('title', 'align', and 'width') in the tuxquote_build_format() function. These attributes are concatenated directly into HTML output without being passed through WordPress escaping functions such as esc_attr() or esc_html(), enabling authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code. This injected code executes in the context of any user viewing the compromised page, potentially leading to session hijacking or other client-side attacks. The CVSS v3.1 base score is 6.4 (medium severity), with an attack vector of network, low attack complexity, requiring low privileges but no user interaction, and impacts confidentiality and integrity with no impact on availability. No patch or official remediation has been published, and no known exploits have been reported.

An authenticated attacker with Contributor-level or higher access can inject malicious scripts into pages via the vulnerable shortcode attributes. These scripts execute in the browsers of users who view the affected pages, potentially compromising user sessions or performing other malicious actions within the context of the affected site. The vulnerability impacts confidentiality and integrity but does not affect availability. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Contributor-level access to trusted users only and consider disabling or removing the Tuxquote plugin if possible. Monitor official vendor channels for updates or patches addressing this vulnerability.