CVE-2026-8886 is a stored cross-site scripting vulnerability in the hk_shortcode WordPress plugin due to improper neutralization of input in the 'title-plane' shortcode. The vulnerability exists because the 'title' attribute is concatenated directly into HTML output without escaping in the huankong_post_short_title_plane() function. Authenticated users with contributor or higher privileges can exploit this to inject arbitrary JavaScript that executes in the context of any user viewing the injected page. This vulnerability affects versions up to and including 1.0 of the plugin. The CVSS 3.1 base score is 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, required privileges, no user interaction, scope change, and limited confidentiality and integrity impact.

Successful exploitation allows an authenticated contributor or higher to inject persistent malicious scripts into pages via the 'title-plane' shortcode. These scripts execute in the browsers of users who visit the compromised pages, potentially leading to theft of session tokens, defacement, or other client-side impacts. The vulnerability does not impact availability. The scope is changed, meaning the vulnerability affects resources beyond the vulnerable component. Confidentiality and integrity impacts are limited but present.

No official patch or remediation is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, restrict contributor-level access to trusted users only and consider disabling or removing the hk_shortcode plugin if feasible. Monitor official vendor channels for updates and apply patches promptly once available.