[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUqecnc5sUMi5z3FU6l2EMQToBagL5d19dv2-1NabeW4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"source_links":37},"CVE-2026-3876","prismatic-unauthenticated-stored-cross-site-scripting-via-prismaticencoded-pseudo-shortcode","Prismatic \u003C= 3.7.3 - Unauthenticated Stored Cross-Site Scripting via 'prismatic_encoded' Pseudo-Shortcode","The Prismatic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prismatic_encoded' pseudo-shortcode in all versions up to, and including, 3.7.3. This is due to insufficient input sanitization and output escaping on user-supplied attributes within the 'prismatic_decode' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by submitting a comment containing a crafted 'prismatic_encoded' pseudo-shortcode.","prismatic",null,"\u003C=3.7.3","3.7.4","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-15 18:26:27","2026-04-16 06:44:54",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Faa4e18b0-f871-4476-af92-42e55aabdf93?source=api-prod",1,[22,23,24,25],"inc\u002Fprismatic-core.php","inc\u002Fresources-enqueue.php","prismatic.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-3876\n\n## 1. Vulnerability Summary\nThe **Prismatic** plugin for WordPress (versions \u003C= 3.7.3) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists in the `prismatic_decode` function within `inc\u002Fprismatic-core.php`. This function processes a \"pseudo-shortcode\" `[prismatic_encoded]` used by the plugin to handle code blocks. \n\nThe plugin fails to adequately sanitize the attributes provided within this pseudo-shortcode. While it attempts to use a regex whitelist to sanitize attributes, the whitelist is overly permissive, allowing attributes like `onmouseover`, `onfocus`, and values containing `window.location`, `window.name`, and `document`. Because the plugin hooks into the `comment_text` filter at a very late priority (99), it processes these pseudo-shortcodes after WordPress's standard security filters (like `wp_filter_kses`) have already run, allowing unauthenticated attackers to bypass comment sanitization.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `wp-comments-post.php` (Standard WordPress comment submission).\n- **Vulnerable Hook**: `comment_text` filter.\n- **Payload Parameter**: `comment`.\n- **Authentication Level**: Unauthenticated (if comments are open to the public).\n- **Preconditions**:\n    1. The Prismatic plugin must be active.\n    2. Comments must be enabled on","The Prismatic plugin for WordPress is vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) via its custom '[prismatic_encoded]' pseudo-shortcode. This occurs because the plugin uses an overly permissive regular expression to sanitize shortcode attributes and fails to properly escape them before outputting them within \u003Ccode> tags, allowing attackers to inject malicious JavaScript event handlers.","\u002F\u002F inc\u002Fprismatic-core.php (line 92 in version 3.7.3)\nfunction prismatic_decode($text) {\n\t\n\tif (!is_string($text)) return $text;\n\t\n\t$output = '';\n\t$split  = preg_split(\"\u002F(\\\\[prismatic_encoded.*\\\\].*\\\\[\\\\\u002Fprismatic_encoded\\\\])\u002FUs\", $text, -1, PREG_SPLIT_DELIM_CAPTURE);\n\t$count  = count($split);\n\t\n\tfor ($i = 0; $i \u003C $count; $i++) {\n\t\t\n\t\t$content = $split[$i];\n\t\t\n\t\tif (preg_match(\"\u002F^\\\\[prismatic_encoded(.*)\\\\](.*)\\\\[\\\\\u002Fprismatic_encoded\\\\]\u002FUs\", $content, $code)) {\n\t\t\t\n\t\t\t$atts = str_replace(\"%%\", \"\\\"\", $code[1]);\n\t\t\t\n\t\t\t$content = base64_decode($code[2]);\n\t\t\t\n\t\t\t$content = preg_replace(\"\u002F\\r\u002F\", \"\", $content);\n\t\t\t\n\t\t\t$content = preg_replace(\"\u002F^\\s*?\\n\u002F\", \"\\n\", $content);\n\t\t\t\n\t\t\t$atts = preg_replace('\u002F[^a-z0-9\\-\\_\\s\\\"\\.\\,\\=]\u002Fi', '', $atts);\n\t\t\t\n\t\t\t$content = '\u003Ccode'. $atts .'>'. esc_html($content) .'\u003C\u002Fcode>';\n\t\t\t\n\t\t}\n\t\t\n\t\t$output .= $content;\n\t\t\n\t}\n\t\n\treturn $output;\n\t\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fprismatic\u002F3.7.3\u002Finc\u002Fprismatic-core.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fprismatic\u002F3.7.4\u002Finc\u002Fprismatic-core.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fprismatic\u002F3.7.3\u002Finc\u002Fprismatic-core.php\t2026-03-10 21:57:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fprismatic\u002F3.7.4\u002Finc\u002Fprismatic-core.php\t2026-03-11 17:33:14.000000000 +0000\n@@ -92,6 +92,14 @@\n \n function prismatic_decode($text) {\n \t\n+\tglobal $prismatic_options_general;\n+\t\n+\t$options = $prismatic_options_general;\n+\t\n+\t$library = isset($options['library']) ? $options['library'] : null;\n+\t\n+\t\u002F\u002F\n+\t\n \tif (!is_string($text)) return $text;\n \t\n \t$output = '';\n@@ -112,9 +120,27 @@\n \t\t\t\n \t\t\t$content = preg_replace(\"\u002F^\\s*?\\n\u002F\", \"\\n\", $content);\n \t\t\t\n-\t\t\t$atts = preg_replace('\u002F[^a-z0-9\\-\\_\\s\\\"\\.\\,\\=]\u002Fi', '', $atts);\n+\t\t\t\u002F\u002F\n+\t\t\t\n+\t\t\t$code = prismatic_parse_get_doc($atts);\n+\t\t\t\n+\t\t\tif ($library === 'prism') {\n+\t\t\t\t\n+\t\t\t\t$class = prismatic_parse_prism($code);\n+\t\t\t\t\n+\t\t\t} elseif ($library === 'highlight') {\n+\t\t\t\t\n+\t\t\t\t$class = prismatic_parse_highlight($code);\n+\t\t\t\t\n+\t\t\t} else {\n+\t\t\t\t\n+\t\t\t\t$class = '';\n+\t\t\t\t\n+\t\t\t}\n+\t\t\t\n+\t\t\t$data_line = prismatic_parse_prism_addons($code);\n \t\t\t\n-\t\t\t$content = '\u003Ccode'. $atts .'>'. esc_html($content) .'\u003C\u002Fcode>';\n+\t\t\t$content = '\u003Ccode class=\"'. esc_attr($class) .'\" data-line=\"'. esc_attr($data_line) .'\">'. esc_html($content) .'\u003C\u002Fcode>';\n \t\t\t\n \t\t}","1. **Identify Vulnerable Hook**: The plugin registers `prismatic_decode` on the `comment_text` filter with a high priority (99), meaning it runs after standard WordPress comment sanitization.\n2. **Craft Payload**: Create a comment containing the `[prismatic_encoded]` pseudo-shortcode. The attribute section of the shortcode can include event handlers because the sanitization regex `\u002F[^a-z0-9\\-\\_\\s\\\"\\.\\,\\=]\u002Fi` permits spaces, equals signs, and quotes.\n3. **Payload Example**: `[prismatic_encoded onmouseover=\"alert(document.domain)\" class=\"language-javascript\"]Y29uc29sZS5sb2coMSk=[\u002Fprismatic_encoded]` (Note: the content between tags must be Base64 encoded).\n4. **Submit Comment**: As an unauthenticated user, post the crafted comment to a page where comments are enabled.\n5. **Execution**: When a user or administrator views the comment, the plugin renders the raw `onmouseover` attribute inside a `\u003Ccode>` tag. Hovering over the code block triggers the JavaScript.","gemini-3-flash-preview","2026-04-16 15:19:35","2026-04-16 15:20:39",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.7.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprismatic\u002Ftags\u002F3.7.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprismatic.3.7.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprismatic\u002Ftags\u002F3.7.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprismatic.3.7.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprismatic\u002Ftags"]