Description
The Writeprint Stylometry plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'p' GET parameter in all versions up to and including 0.1. This is due to insufficient input sanitization and output escaping in the bjl_wprintstylo_comments_nav() function. The function directly outputs the $_GET['p'] parameter into an HTML href attribute without any escaping. This makes it possible for authenticated attackers with Contributor-level permissions or higher to inject arbitrary web scripts in pages that execute if they can successfully trick another user into performing an action such as clicking on a link.
Published: 2026-03-18
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Writeprint Stylometry plugin for WordPress contains a reflected Cross‑Site Scripting vulnerability that allows an attacker to inject arbitrary JavaScript into the page output by supplying a specially crafted value for the 'p' GET parameter. The vulnerable code is located in the bjl_wprintstylo_comments_nav() function, which echoes $_GET['p'] directly into an HTML href attribute without proper escaping, thereby enabling script execution in the context of any authenticated user who follows the link. This weakness corresponds to CWE‑79: Improper Neutralization of Input During Web Page Generation.

Affected Systems

All releases of the Writeprint Stylometry plugin up to and including version 0.1 are affected. The vendor is alhadeff. No specific sub‑versions are listed; any installation running 0.1 or earlier carries the same risk.

Risk and Exploitability

The issue has a CVSS v3.1 score of 6.1, indicating medium severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. Exploitation requires a web‑based attack vector: an attacker with Contributor‑level or higher permissions can supply a malicious value for the 'p' parameter, causing script execution in the context of any authenticated user who follows the link. The attack is therefore internal or social‑engineering driven rather than a publicly exploitable remote code execution.

Generated by OpenCVE AI on March 18, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Writeprint Stylometry plugin to a version newer than 0.1 if an update is available.
  • If no update exists, disable or remove the plugin from the WordPress installation to eliminate the attack surface.
  • If disabling the plugin is not feasible, apply an application‑layer Web Application Firewall (WAF) rule to block or sanitize requests to the 'p' parameter.
  • Consider restricting Contributor or higher site‑wide roles from accessing URLs that expose the vulnerable parameter, or review custom role capabilities.

Generated by OpenCVE AI on March 18, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Alhadeff
Alhadeff writeprint Stylometry
Wordpress
Wordpress wordpress
Vendors & Products Alhadeff
Alhadeff writeprint Stylometry
Wordpress
Wordpress wordpress

Wed, 18 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Writeprint Stylometry plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'p' GET parameter in all versions up to and including 0.1. This is due to insufficient input sanitization and output escaping in the bjl_wprintstylo_comments_nav() function. The function directly outputs the $_GET['p'] parameter into an HTML href attribute without any escaping. This makes it possible for authenticated attackers with Contributor-level permissions or higher to inject arbitrary web scripts in pages that execute if they can successfully trick another user into performing an action such as clicking on a link.
Title Writeprint Stylometry <= 0.1 - Reflected Cross-Site Scripting via 'p' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Alhadeff Writeprint Stylometry
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:06.635Z

Reserved: 2026-03-04T14:56:33.403Z

Link: CVE-2026-3512

cve-icon Vulnrichment

Updated: 2026-03-18T15:34:43.253Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T07:16:21.633

Modified: 2026-03-18T14:52:44.227

Link: CVE-2026-3512

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:14Z

Weaknesses