{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3876", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-10T11:04:56.076Z", "datePublished": "2026-04-16T06:44:53.787Z", "dateUpdated": "2026-04-16T06:44:53.787Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T06:44:53.787Z"}, "affected": [{"vendor": "specialk", "product": "Prismatic", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.7.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Prismatic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prismatic_encoded' pseudo-shortcode in all versions up to, and including, 3.7.3. This is due to insufficient input sanitization and output escaping on user-supplied attributes within the 'prismatic_decode' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by submitting a comment containing a crafted 'prismatic_encoded' pseudo-shortcode."}], "title": "Prismatic <= 3.7.3 - Unauthenticated Stored Cross-Site Scripting via 'prismatic_encoded' Pseudo-Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa4e18b0-f871-4476-af92-42e55aabdf93?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/prismatic/tags/3.7.3/inc/prismatic-core.php&new_path=/prismatic/tags/3.7.4/inc/prismatic-core.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2026-03-26T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-03-10T16:04:06.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-15T18:26:27.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Prismatic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prismatic_encoded' pseudo-shortcode in all versions up to, and including, 3.7.3. This is due to insufficient input sanitization and output escaping on user-supplied attributes within the 'prismatic_decode' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by submitting a comment containing a crafted 'prismatic_encoded' pseudo-shortcode."}], "id": "CVE-2026-3876", "lastModified": "2026-04-16T07:16:30.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-16T07:16:30.350", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=/prismatic/tags/3.7.3/inc/prismatic-core.php&new_path=/prismatic/tags/3.7.4/inc/prismatic-core.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa4e18b0-f871-4476-af92-42e55aabdf93?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.7.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Prismatic", "source": "cna", "vendor": "specialk"}, "product": "prismatic", "vendor": "specialk"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T08:50:27.225922+00:00", "value": {"mitigation_remediation": ["Update the Prismatic plugin to version 3.7.4 or later to receive the vendor patch that validates and escapes shortcode attributes.", "If an update is not immediately possible, disable user comments or delete comments that contain the prismatic_encoded pseudo\u2011shortcode to prevent further script storage.", "Implement a WordPress content filter to escape or strip any prismatic_encoded shortcodes from comment content until the plugin can be upgraded."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "It affects the Prismatic plugin for WordPress from the vendor specialk, in all released versions up to and including 3.7.3. No specific sub\u2011versions are listed beyond that upper bound.", "description_and_impact": "The Prismatic WordPress plugin is vulnerable because the prismatic_decode function does not properly sanitize or escape user\u2011supplied attributes. As a result, an unauthenticated attacker can embed arbitrary JavaScript code within a comment that includes the malformed pseudo\u2011shortcode prismatic_encoded. The injected script is stored in the comment and executed whenever any user views the page containing that comment, leading to potential session hijacking, credential theft, or defacement.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.2, indicating a high impact. Attackers do not need any credentials; a public comment submission suffices to inject malicious code. The EPSS score is not available, and the issue is not in the CISA KEV catalog, but the lack of user authentication requirements and the stored nature of the XSS suggest it could be readily exploited by an automated script once a comment is posted. The vulnerability is not mitigated by existing access controls and could be used to compromise any visitor to the affected WordPress site."}}}}, "created": "2026-04-16T09:00:05.288508+00:00", "updated": "2026-04-16T09:11:37.090304+00:00", "vendors": ["specialk", "specialk$PRODUCT$prismatic", "wordpress", "wordpress$PRODUCT$wordpress"]}