Prismatic
Monthly
Stored Cross-Site Scripting in Prismatic WordPress plugin (all versions ≤3.7.3) allows unauthenticated remote attackers to inject malicious scripts via crafted comment submissions containing the 'prismatic_encoded' pseudo-shortcode. Vulnerable code in prismatic_decode function fails to sanitize user-supplied attributes. CVSS 7.2 with scope change (S:C) elevates impact beyond vulnerable component. EPSS data not available; no CISA KEV listing identified. Wordfence threat intelligence confirms vulnerability; patch released in version 3.7.4 per WordPress plugin repository changelog.
Stored Cross-Site Scripting in Prismatic WordPress plugin (all versions ≤3.7.3) allows unauthenticated remote attackers to inject malicious scripts via crafted comment submissions containing the 'prismatic_encoded' pseudo-shortcode. Vulnerable code in prismatic_decode function fails to sanitize user-supplied attributes. CVSS 7.2 with scope change (S:C) elevates impact beyond vulnerable component. EPSS data not available; no CISA KEV listing identified. Wordfence threat intelligence confirms vulnerability; patch released in version 3.7.4 per WordPress plugin repository changelog.