CVE-2026-3876 - Vulnerability Details

- Prismatic <= 3.7.3 - Unauthenticated Stored Cross-Site Scripting via 'prismatic_encoded' Pseudo-Shortcode

Description

The Prismatic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prismatic_encoded' pseudo-shortcode in all versions up to, and including, 3.7.3. This is due to insufficient input sanitization and output escaping on user-supplied attributes within the 'prismatic_decode' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by submitting a comment containing a crafted 'prismatic_encoded' pseudo-shortcode.

Published: 2026-04-16

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Prismatic WordPress plugin is vulnerable because the prismatic_decode function does not properly sanitize or escape user‑supplied attributes. As a result, an unauthenticated attacker can embed arbitrary JavaScript code within a comment that includes the malformed pseudo‑shortcode prismatic_encoded. The injected script is stored in the comment and executed whenever any user views the page containing that comment, leading to potential session hijacking, credential theft, or defacement.

Affected Systems

It affects the Prismatic plugin for WordPress from the vendor specialk, in all released versions up to and including 3.7.3. No specific sub‑versions are listed beyond that upper bound.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.2, indicating a high impact. Attackers do not need any credentials; a public comment submission suffices to inject malicious code. The EPSS score is not available, and the issue is not in the CISA KEV catalog, but the lack of user authentication requirements and the stored nature of the XSS suggest it could be readily exploited by an automated script once a comment is posted. The vulnerability is not mitigated by existing access controls and could be used to compromise any visitor to the affected WordPress site.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

specialk

Prismatic

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.7.3

No data.

Vendor Product Confidence Versions

Specialk

Prismatic

100%

Version	Status	Scheme	Platform
`[0,3.7.3]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Prismatic plugin to version 3.7.4 or later to receive the vendor patch that validates and escapes shortcode attributes.
If an update is not immediately possible, disable user comments or delete comments that contain the prismatic_encoded pseudo‑shortcode to prevent further script storage.
Implement a WordPress content filter to escape or strip any prismatic_encoded shortcodes from comment content until the plugin can be upgraded.

Generated by OpenCVE AI on April 16, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset?old_path=/prismatic/tags/3.7.3/inc/prismatic-core.php&new_path=/prismatic/tags/3.7.4/inc/prismatic-core.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/aa4e18b0-f871-4476-af92-42e55aabdf93?source=cve

History

Thu, 16 Apr 2026 09:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Specialk Specialk prismatic Wordpress Wordpress wordpress
Vendors & Products		Specialk Specialk prismatic Wordpress Wordpress wordpress

Thu, 16 Apr 2026 07:15:00 +0000

Type	Values Removed	Values Added
Description		The Prismatic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prismatic_encoded' pseudo-shortcode in all versions up to, and including, 3.7.3. This is due to insufficient input sanitization and output escaping on user-supplied attributes within the 'prismatic_decode' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by submitting a comment containing a crafted 'prismatic_encoded' pseudo-shortcode.
Title		Prismatic <= 3.7.3 - Unauthenticated Stored Cross-Site Scripting via 'prismatic_encoded' Pseudo-Shortcode
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/changeset?old_path=/prismatic/tags/3.7.3/inc/prismatic-core.php&new_path=/prismatic/tags/3.7.4/inc/prismatic-core.php https://www.wordfence.com/threat-intel/vulnerabilities/id/aa4e18b0-f871-4476-af92-42e55aabdf93?source=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Specialk Prismatic

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-16T06:44:53.787Z

Updated: 2026-04-16T14:13:20.711Z

Reserved: 2026-03-10T11:04:56.076Z

Link: CVE-2026-3876

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-16T07:16:30.350

Modified: 2026-04-16T07:16:30.350

Link: CVE-2026-3876

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T09:11:37Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object