CVE-2026-4032

| EUVD-2026-23170 MEDIUM
2026-04-16 Wordfence GHSA-63x8-x938-vx33 GHSA-7xjm-g8f4-rp26 GHSA-83mq-cmhp-6pvq GHSA-ffq7-898w-9jc4
XSS WordPress
6.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 16, 2026 - 04:15 vuln.today

DescriptionNVD

The CodeColorer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter in 'cc' comment shortcode in versions up to, and including, 0.10.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires comments to be enabled on the target post and guest comments to be allowed.

AnalysisAI

Stored Cross-Site Scripting (XSS) in CodeColorer plugin for WordPress versions up to 0.10.1 allows unauthenticated attackers to inject malicious JavaScript via the 'class' parameter in the 'cc' comment shortcode, which executes in the browsers of users viewing the affected page. Exploitation requires comments to be enabled and guest comments permitted on the target post. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-4032 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy