Stored Cross-Site Scripting in Short Comment Filter Plugin for WordPress
CVE-2026-3362

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Short Comment Filter
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-3362?

The Short Comment Filter plugin for WordPress exposes a vulnerability through the 'Minimum Count' settings field, which fails to properly sanitize and escape user input. This allows authenticated attackers with administrator-level access to inject malicious scripts that execute when users view the settings page. This issue particularly affects multisite installations where certain HTML capabilities are restricted, thereby amplifying the risk associated with unguarded settings.

Affected Version(s)

Short Comment Filter 0 <= 2.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/short-comment-...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Feb 27, 2026

Credit

Muhammad Nur Ibnu Hubab

CVE-2026-3362 Data

JSON