Stored Cross-Site Scripting in Highlighting Code Block Plugin for WordPress
CVE-2026-12108

4.4MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
10 July 2026

What is CVE-2026-12108?

The Highlighting Code Block plugin for WordPress contains a flaw that allows authenticated users with administrator-level access to execute arbitrary scripts through stored cross-site scripting. This vulnerability is particularly concerning in multi-site installations and where the unfiltered_html capability has been disabled, as it grants attackers the ability to insert malicious scripts into pages. In all affected versions up to 2.2.0, inadequate input sanitization and output escaping are the root causes of this security issue, potentially compromising user sessions and exposing sensitive data.

Affected Version(s)

Highlighting Code Block 0 <= 2.2.0

References

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chinnapak Charoensiri
.