Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Unauthenticated comment submission (PR:N) plants the payload, but a victim must load the comments page (UI:R); stored XSS crosses scope to the browser (S:C) with limited C/I impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Cincopa video and media plug-in plugin for WordPress is vulnerable to Stored Cross-Site Scripting via cincopa Shortcode in Post Comments in all versions up to, and including, 1.163 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation is possible because the plugin processes the [cincopa] shortcode via a comment_text filter hook, allowing unauthenticated visitors who can post comments to supply a malicious shortcode argument that persists in the database.
Articles & Coverage 1
AnalysisAI
Stored cross-site scripting in the Cincopa video and media plug-in for WordPress (versions ≤1.163) allows unauthenticated commenters to inject persistent JavaScript via the [cincopa] shortcode processed by the comment_text filter. Any visitor or administrator viewing the affected post executes the attacker's script in their browser session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a WordPress site running the Cincopa video and media plug-in (≤1.163) with commenting enabled on at least one post; the attacker must be able to submit a comment containing a [cincopa] shortcode whose attribute is rendered unescaped via the comment_text filter. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N yields 7.2 (High), driven by the changed scope and network reachability of stored XSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated visitor posts a comment containing a crafted [cincopa] shortcode whose attribute value carries an XSS payload (e.g., breaking out of an attribute to inject a <script> tag). When the site administrator or any reader opens the post's comments, the stored payload executes in their browser, allowing session theft, forced administrative actions, or drive-by redirection. … |
| Remediation | No vendor-released patch identified at time of analysis; monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/2d6304e5-7fbf-484d-b147-f2a6c2ee0658) and the plugin's WordPress.org page for a release above 1.163. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations running Cincopa ≤1.163; disable user comments on posts containing Cincopa shortcodes or restrict commenting to authenticated, pre-approved users. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38662
GHSA-jhg4-5fww-9vvr