Scan free
HIGHCVE-2026-3876CVSS 7.2

CVE-2026-3876: XSS in Prismatic WordPress Plugin

Platform

wordpress

Component

prismatic

Fixed in

3.7.4

3.7.4

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-3876 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting the Prismatic WordPress plugin. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts, potentially leading to account compromise or defacement. The vulnerability impacts versions up to 3.7.3, and a patch is available in version 3.7.4.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

An attacker can exploit this XSS vulnerability by injecting malicious JavaScript code within the 'prismatic_encoded' pseudo-shortcode in a comment. When a user views the comment containing the injected script, the script will execute in their browser context. This can allow the attacker to steal cookies, redirect the user to a malicious website, or modify the content of the page. The impact is particularly severe because the vulnerability is stored, meaning the malicious script persists until the comment is removed, affecting all users who view the affected page. Successful exploitation could lead to complete account takeover and further compromise of the WordPress site.

Exploitation Context

CVE-2026-3876 was publicly disclosed on 2026-04-16. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The relatively low CVSS score suggests a moderate exploitation likelihood, but the ease of exploitation via comment injection warrants prompt remediation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.02% (6% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N7.2HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentprismatic
Vendorwordfence
Affected rangeFixed in
0.0.0 – 3.7.33.7.4
3.7.33.7.4

Package Information

Active installs
2KNiche
Plugin rating
4.8
Requires WordPress
4.7+
Compatible up to
7.0
Requires PHP
5.6.20+
Homepage

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-3876 is to immediately upgrade the Prismatic WordPress plugin to version 3.7.4 or later. If upgrading is not immediately feasible, consider temporarily disabling the Prismatic plugin to prevent further exploitation. As a short-term workaround, implement strict input validation and output escaping for the 'prismatic_encoded' shortcode within the plugin's code, although this is not a substitute for upgrading. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting shortcodes may also provide some protection.

How to fix

Update to version 3.7.4, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-3876 — Cross-Site Scripting in Prismatic WordPress Plugin?

CVE-2026-3876 is a Stored XSS vulnerability in the Prismatic WordPress plugin, allowing attackers to inject malicious scripts via the 'prismatic_encoded' shortcode.

Am I affected by CVE-2026-3876 in Prismatic WordPress Plugin?

You are affected if you are using Prismatic WordPress plugin versions prior to 3.7.4. Check your plugin version and upgrade immediately.

How do I fix CVE-2026-3876 in Prismatic WordPress Plugin?

Upgrade the Prismatic WordPress plugin to version 3.7.4 or later. If immediate upgrade is not possible, disable the plugin as a temporary workaround.

Is CVE-2026-3876 being actively exploited?

There are currently no known active campaigns exploiting CVE-2026-3876, but prompt remediation is still recommended.

Where can I find the official Prismatic advisory for CVE-2026-3876?

Refer to the Prismatic plugin's official website or WordPress plugin repository for the latest advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs