Stored Cross-Site Scripting in Highlighting Code Block Plugin for WordPress
CVE-2026-12108
4.4MEDIUM
What is CVE-2026-12108?
The Highlighting Code Block plugin for WordPress contains a flaw that allows authenticated users with administrator-level access to execute arbitrary scripts through stored cross-site scripting. This vulnerability is particularly concerning in multi-site installations and where the unfiltered_html capability has been disabled, as it grants attackers the ability to insert malicious scripts into pages. In all affected versions up to 2.2.0, inadequate input sanitization and output escaping are the root causes of this security issue, potentially compromising user sessions and exposing sensitive data.
Affected Version(s)
Highlighting Code Block 0 <= 2.2.0