Description
The Cincopa video and media plug-in plugin for WordPress is vulnerable to Stored Cross-Site Scripting via cincopa Shortcode in Post Comments in all versions up to, and including, 1.163 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation is possible because the plugin processes the [cincopa] shortcode via a comment_text filter hook, allowing unauthenticated visitors who can post comments to supply a malicious shortcode argument that persists in the database.
Published: 2026-06-24
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a stored XSS flaw (CWE‑79) that allows an unauthenticated user to embed malicious script code via the cincopa shortcode in WordPress comments. The payload is stored in the database and will execute in any browser that loads the page, potentially compromising credentials, defacing the site, or redirecting users to malicious content.

Affected Systems

All WordPress sites using the Cincopa video and media plug‑in up to version 1.163 are affected. The vulnerability is tied to the plugin’s handling of the [cincopa] shortcode via the comment_text filter hook.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, which means it is not tied to a publicly known exploit campaign. Nonetheless, the attack vector is readily exploitable: any user able to post a comment can inject the payload, and the payload remains until the comment is deleted. This makes the threat significant, especially for sites with open comment sections and no additional input validation.

Generated by OpenCVE AI on June 24, 2026 at 09:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cincopa plugin to the latest released version, where the shortcode input is properly sanitized.
  • If an upgrade cannot be performed immediately, remove or neutralize the cincopa shortcode from comment text processing by adjusting or removing the comment_text filter hook.
  • Enable comment moderation or disable unauthenticated comment posting so that only moderated content is displayed.
  • Apply additional site‑wide input filtering on comments to strip or encode any shortcode tags that can contain executable code.

Generated by OpenCVE AI on June 24, 2026 at 09:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Cincopa video and media plug-in plugin for WordPress is vulnerable to Stored Cross-Site Scripting via cincopa Shortcode in Post Comments in all versions up to, and including, 1.163 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation is possible because the plugin processes the [cincopa] shortcode via a comment_text filter hook, allowing unauthenticated visitors who can post comments to supply a malicious shortcode argument that persists in the database.
Title Cincopa video and media plug-in <= 1.163 - Unauthenticated Stored Cross-Site Scripting via cincopa Shortcode in Post Comments
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T12:18:08.558Z

Reserved: 2026-05-29T13:38:28.688Z

Link: CVE-2026-10092

cve-icon Vulnrichment

Updated: 2026-06-24T12:17:30.571Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:00:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')