Description
The Cryptocurrency Prijsvergelijking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0. This is due to insufficient output escaping in the as_get_coin_shortcode() function, which renders the 'width' (and 'height') shortcode attribute directly into the style attribute of an <iframe> element without applying any escaping function such as esc_attr(). An attacker-controlled value like '100px;"onload="alert(1)" x="' terminates the style attribute prematurely and injects an arbitrary HTML attribute into the iframe tag. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from missing output escaping in the as_get_coin_shortcode() function of the Cryptocurrency Prijsvergelijking Widget plugin. An attacker that can add or edit shortcode attributes can supply a crafted value for the width attribute, ending the style attribute and inserting arbitrary HTML attributes into an iframe. Once stored, the malicious markup runs in any browser that loads a page containing the shortcode, allowing arbitrary scripts to execute under the user’s session. This flaw is only exploitable by users who have contributor‑level or higher access to the WordPress site, because the attacker must be able to create or modify the shortcode where the width attribute is stored. No network‑level or unauthenticated vector is required. Given the CVSS score of 6.4 (medium), the absence of an EPSS score, and no listing in CISA KEV, the risk is moderate but still potentially high for sites that rely on this widget and have contributors with editing rights. A single malicious contributor could compromise all visitors to pages that use the widget.

Affected Systems

WordPress sites that have installed the Cryptocurrency Prijsvergelijking Widget plugin version 1.0 from the provider cryptoprijzen. The vendor/product is listed as Cryptocurrency Prijsvergelijking Widget. The affected versions are not further refined in the CNA data, but the vulnerability description explicitly states that it exists in version 1.0. No other vendors or product versions are indicated as affected.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity. Because the exploit requires authenticated access to WordPress with contributor or higher role, the attack vector is internal and depends on the site’s role configuration. There is no documented EPSS score and the vulnerability is not listed in CISA KEV, suggesting it is not known to be actively exploited in the wild yet. Defenders should assume that a malicious contributor could inject persistence‑level XSS, leading to cookie theft, session hijacking, or redirection for all users who view a page containing the injected shortcode. Mitigations are available only through updating the plugin or applying a patch; there is no official workaround listed in the input.

Generated by OpenCVE AI on May 27, 2026 at 07:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Cryptocurrency Prijsvergelijking Widget plugin to the latest released version that contains proper escaping for the width and height attributes.
  • If an update is not yet available, manually apply the patch from the plugin’s repository that adds esc_attr() around the width and height attributes in as_get_coin_shortcode().
  • Limit contributor roles to users who absolutely need permission to edit shortcodes, or remove the ‘width’ attribute entirely from existing shortcodes to eliminate the stored payload.

Generated by OpenCVE AI on May 27, 2026 at 07:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Cryptoprijzen
Cryptoprijzen cryptocurrency Prijsvergelijking Widget
Wordpress
Wordpress wordpress
Vendors & Products Cryptoprijzen
Cryptoprijzen cryptocurrency Prijsvergelijking Widget
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Cryptocurrency Prijsvergelijking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0. This is due to insufficient output escaping in the as_get_coin_shortcode() function, which renders the 'width' (and 'height') shortcode attribute directly into the style attribute of an <iframe> element without applying any escaping function such as esc_attr(). An attacker-controlled value like '100px;"onload="alert(1)" x="' terminates the style attribute prematurely and injects an arbitrary HTML attribute into the iframe tag. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Cryptocurrency Prijsvergelijking Widget <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'width' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Cryptoprijzen Cryptocurrency Prijsvergelijking Widget
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:40:15.946Z

Reserved: 2026-05-15T16:52:11.269Z

Link: CVE-2026-8698

cve-icon Vulnrichment

Updated: 2026-05-27T10:40:10.308Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:14.177

Modified: 2026-05-27T07:16:14.177

Link: CVE-2026-8698

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:07:48Z

Weaknesses