Stored Cross-Site Scripting Vulnerability in Prismatic Plugin for WordPress
CVE-2026-3876

7.2HIGH

Key Information:

Vendor: WordPress
Status: Prismatic
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-3876?

The Prismatic plugin for WordPress has a vulnerability that allows unauthenticated attackers to exploit Stored Cross-Site Scripting through the 'prismatic_encoded' pseudo-shortcode. This flaw exists due to a lack of adequate input sanitization and output escaping in the 'prismatic_decode' function, enabling attackers to insert malicious scripts into comments. When a user accesses a page containing such an injected comment, the script executes, leading to potential data theft, session hijacking, or other malicious activities. Users of all versions up to 3.7.3 are advised to upgrade to the latest version to mitigate this security issue.

Affected Version(s)

Prismatic 0 <= 3.7.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?old_path=/pr...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Mar 10, 2026

Credit

Athiwat Tiprasaharn

CVE-2026-3876 Data

JSON