Skip to main content

Prijsvergelijking Widget CVE-2026-8698

| EUVDEUVD-2026-32055 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-27 security@wordfence.com GHSA-3r7w-pvvh-cggq
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 21:33 vuln.today
CVE Published
May 27, 2026 - 07:16 nvd
MEDIUM 6.4

DescriptionCVE.org

The Cryptocurrency Prijsvergelijking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0. This is due to insufficient output escaping in the as_get_coin_shortcode() function, which renders the 'width' (and 'height') shortcode attribute directly into the style attribute of an <iframe> element without applying any escaping function such as esc_attr(). An attacker-controlled value like '100px;"onload="alert(1)" x="' terminates the style attribute prematurely and injects an arbitrary HTML attribute into the iframe tag. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Cryptocurrency Prijsvergelijking Widget WordPress plugin (version 1.0) allows authenticated attackers holding contributor-level access to inject persistent JavaScript into any page where the plugin shortcode is placed, executing silently in the browsers of all subsequent visitors including administrators. The root cause is the as_get_coin_shortcode() function writing user-controlled 'width' and 'height' shortcode attributes directly into an iframe's HTML style attribute without calling esc_attr(), enabling style-context breakout via crafted attribute-termination payloads. No public exploit has been independently listed at time of analysis and EPSS stands at 0.03% (9th percentile), indicating low observed exploitation probability, though the CVSS Changed Scope designation means a single injected payload can compromise sessions of any user - including site administrators - who loads the affected page.

Technical ContextAI

The plugin is a WordPress shortcode-based widget that embeds a cryptocurrency price comparison iframe into posts and pages. The vulnerable logic is documented in the WordPress plugin repository at functions.php lines 138 and 157, where the as_get_coin_shortcode() function interpolates the 'width' and 'height' shortcode parameters directly into the style attribute of a rendered HTML iframe element. WordPress provides the esc_attr() sanitization helper specifically to neutralize quote characters and event-handler injection in attribute contexts; its absence here is the precise CWE-79 (Improper Neutralization of Input During Web Page Generation) failure. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N characterizes the attack as network-accessible with low complexity, requiring only contributor-level privileges, with Changed Scope (S:C) indicating the injected payload crosses the security boundary from the contributor's post context into every subsequent visitor's browser session. The combined C:L/I:L impact reflects realistic outcomes such as session cookie exfiltration or DOM-level content manipulation rather than full system compromise.

RemediationAI

No vendor-released patched version has been identified at time of analysis - the references cite only the current plugin source and the Wordfence advisory without specifying a fixed release version. Site administrators should immediately deactivate and uninstall the Cryptocurrency Prijsvergelijking Widget plugin until a patched release is confirmed available in the WordPress plugin repository or via the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/058e47cd-55c8-48b3-8aa6-ef299886061d?source=cve. As a compensating control, audit and minimize the contributor role - remove or downgrade any contributor accounts that do not require shortcode insertion access, noting this may restrict legitimate editorial workflows. A Web Application Firewall rule targeting style-attribute breakout patterns (inputs containing quote characters adjacent to HTML event handler keywords such as onload, onerror) can reduce exploitation risk but may generate false positives on legitimate numeric style values. For operators who must keep the plugin active, patching the source directly by wrapping the width and height parameters with esc_attr() before output in functions.php is technically straightforward, though self-applied source patches require re-application after any plugin update.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-8698 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy