Plattform
wordpress
Komponente
prismatic
Behoben in
3.7.4
3.7.4
CVE-2026-3876 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting the Prismatic WordPress plugin. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts, potentially leading to account compromise or defacement. The vulnerability impacts versions up to 3.7.3, and a patch is available in version 3.7.4.
An attacker can exploit this XSS vulnerability by crafting a malicious 'prismatic_encoded' pseudo-shortcode within a comment and submitting it to a WordPress site using the vulnerable Prismatic plugin. When a user views the comment containing the injected script, the script will execute in their browser context. This can allow the attacker to steal session cookies, redirect the user to a phishing site, or modify the content of the page. The impact is particularly severe because the vulnerability is stored, meaning the malicious script persists until the comment is removed, potentially affecting multiple users over time. This type of XSS is similar to other stored XSS vulnerabilities that have been exploited to compromise WordPress sites and steal user credentials.
CVE-2026-3876 was publicly disclosed on 2026-04-16. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 7.2 (HIGH) indicates a significant risk, and the ease of exploitation suggests potential for widespread exploitation.
Websites using the Prismatic WordPress plugin, especially those with public comment sections or forums, are at risk. Shared hosting environments where multiple WordPress sites share the same server resources are particularly vulnerable, as a compromise on one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'prismatic_encoded' /var/www/html/wp-content/plugins/prismatic/• wordpress / composer / npm:
wp plugin list | grep prismatic• wordpress / composer / npm:
wp plugin update prismatic• generic web: Inspect comment fields for suspicious shortcode usage, particularly those containing encoded characters.
disclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-3876 is to upgrade the Prismatic WordPress plugin to version 3.7.4 or later. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider temporarily disabling the Prismatic plugin to prevent new comment submissions. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting shortcodes might offer some protection, but this is not a substitute for patching. Review existing WordPress comments for suspicious 'prismaticencoded' shortcodes and remove any found. After upgrading, verify the fix by attempting to submit a comment containing a crafted 'prismaticencoded' shortcode and confirming that the script does not execute.
Aktualisieren Sie auf Version 3.7.4 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-3876 is a Stored XSS vulnerability in the Prismatic WordPress plugin, allowing attackers to inject malicious scripts via the 'prismatic_encoded' shortcode.
You are affected if you are using Prismatic WordPress plugin versions prior to 3.7.4. Check your plugin version and upgrade immediately.
Upgrade the Prismatic WordPress plugin to version 3.7.4 or later. If immediate upgrade is not possible, disable the plugin as a temporary workaround.
There are currently no known active campaigns exploiting CVE-2026-3876, but prompt remediation is still recommended.
Refer to the Prismatic plugin's official website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.