Skip to main content

Cincopa WordPress Plugin CVE-2026-10092

| EUVDEUVD-2026-38662 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-24 Wordfence GHSA-jhg4-5fww-9vvr
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Unauthenticated comment submission (PR:N) plants the payload, but a victim must load the comments page (UI:R); stored XSS crosses scope to the browser (S:C) with limited C/I impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 06:55 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
HIGH 7.2

DescriptionCVE.org

The Cincopa video and media plug-in plugin for WordPress is vulnerable to Stored Cross-Site Scripting via cincopa Shortcode in Post Comments in all versions up to, and including, 1.163 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation is possible because the plugin processes the [cincopa] shortcode via a comment_text filter hook, allowing unauthenticated visitors who can post comments to supply a malicious shortcode argument that persists in the database.

AnalysisAI

Stored cross-site scripting in the Cincopa video and media plug-in for WordPress (versions ≤1.163) allows unauthenticated commenters to inject persistent JavaScript via the [cincopa] shortcode processed by the comment_text filter. Any visitor or administrator viewing the affected post executes the attacker's script in their browser session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WP site running Cincopa plugin
Delivery
Submit comment with malicious [cincopa] shortcode
Exploit
Plugin stores payload via comment_text filter
Execution
Victim loads post comments page
Persist
Script executes in victim browser
Impact
Hijack admin session or redirect users

Vulnerability AssessmentAI

Exploitation Requires a WordPress site running the Cincopa video and media plug-in (≤1.163) with commenting enabled on at least one post; the attacker must be able to submit a comment containing a [cincopa] shortcode whose attribute is rendered unescaped via the comment_text filter. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N yields 7.2 (High), driven by the changed scope and network reachability of stored XSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated visitor posts a comment containing a crafted [cincopa] shortcode whose attribute value carries an XSS payload (e.g., breaking out of an attribute to inject a <script> tag). When the site administrator or any reader opens the post's comments, the stored payload executes in their browser, allowing session theft, forced administrative actions, or drive-by redirection. …
Remediation No vendor-released patch identified at time of analysis; monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/2d6304e5-7fbf-484d-b147-f2a6c2ee0658) and the plugin's WordPress.org page for a release above 1.163. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations running Cincopa ≤1.163; disable user comments on posts containing Cincopa shortcodes or restrict commenting to authenticated, pre-approved users. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10092 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy