CVE-2026-8872 is a stored cross-site scripting vulnerability in the Animate Your Content WordPress plugin due to improper neutralization of input (CWE-79). The issue occurs in the shortcode_args_to_html_attrs() function, which concatenates shortcode attribute values directly into double-quoted HTML attributes without applying the esc_attr() escaping function. This allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages via the 'animation-set' shortcode, which executes in the context of any user viewing the page. The vulnerability affects versions up to and including 1.0.0. The CVSS 3.1 base score is 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, scope change, and limited confidentiality and integrity impact without availability impact. No vendor patch or official remediation has been published yet.

An attacker with contributor-level or higher privileges can inject persistent malicious scripts into WordPress pages using the vulnerable shortcode. These scripts execute in the browsers of users who visit the infected pages, potentially leading to data theft, session hijacking, or other client-side attacks. The vulnerability affects confidentiality and integrity but does not impact availability. There are no known active exploits reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict contributor-level access to trusted users only and consider disabling or removing the Animate Your Content plugin if contributor privileges cannot be tightly controlled. Monitor for plugin updates that address this vulnerability.