Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Cryptocurrency Prijsvergelijking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0. This is due to insufficient output escaping in the as_get_coin_shortcode() function, which renders the 'width' (and 'height') shortcode attribute directly into the style attribute of an <iframe> element without applying any escaping function such as esc_attr(). An attacker-controlled value like '100px;"onload="alert(1)" x="' terminates the style attribute prematurely and injects an arbitrary HTML attribute into the iframe tag. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Cryptocurrency Prijsvergelijking Widget WordPress plugin (version 1.0) allows authenticated attackers holding contributor-level access to inject persistent JavaScript into any page where the plugin shortcode is placed, executing silently in the browsers of all subsequent visitors including administrators. The root cause is the as_get_coin_shortcode() function writing user-controlled 'width' and 'height' shortcode attributes directly into an iframe's HTML style attribute without calling esc_attr(), enabling style-context breakout via crafted attribute-termination payloads. No public exploit has been independently listed at time of analysis and EPSS stands at 0.03% (9th percentile), indicating low observed exploitation probability, though the CVSS Changed Scope designation means a single injected payload can compromise sessions of any user - including site administrators - who loads the affected page.
Technical ContextAI
The plugin is a WordPress shortcode-based widget that embeds a cryptocurrency price comparison iframe into posts and pages. The vulnerable logic is documented in the WordPress plugin repository at functions.php lines 138 and 157, where the as_get_coin_shortcode() function interpolates the 'width' and 'height' shortcode parameters directly into the style attribute of a rendered HTML iframe element. WordPress provides the esc_attr() sanitization helper specifically to neutralize quote characters and event-handler injection in attribute contexts; its absence here is the precise CWE-79 (Improper Neutralization of Input During Web Page Generation) failure. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N characterizes the attack as network-accessible with low complexity, requiring only contributor-level privileges, with Changed Scope (S:C) indicating the injected payload crosses the security boundary from the contributor's post context into every subsequent visitor's browser session. The combined C:L/I:L impact reflects realistic outcomes such as session cookie exfiltration or DOM-level content manipulation rather than full system compromise.
RemediationAI
No vendor-released patched version has been identified at time of analysis - the references cite only the current plugin source and the Wordfence advisory without specifying a fixed release version. Site administrators should immediately deactivate and uninstall the Cryptocurrency Prijsvergelijking Widget plugin until a patched release is confirmed available in the WordPress plugin repository or via the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/058e47cd-55c8-48b3-8aa6-ef299886061d?source=cve. As a compensating control, audit and minimize the contributor role - remove or downgrade any contributor accounts that do not require shortcode insertion access, noting this may restrict legitimate editorial workflows. A Web Application Firewall rule targeting style-attribute breakout patterns (inputs containing quote characters adjacent to HTML event handler keywords such as onload, onerror) can reduce exploitation risk but may generate false positives on legitimate numeric style values. For operators who must keep the plugin active, patching the source directly by wrapping the width and height parameters with esc_attr() before output in functions.php is technically straightforward, though self-applied source patches require re-application after any plugin update.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32055
GHSA-3r7w-pvvh-cggq