Platform
wordpress
Component
codecolorer
Fixed in
0.10.2
0.10.2
A security vulnerability has been identified in Gramps WebAPI, affecting users with the Guest role. This issue allows unauthorized access to private sub-object data, such as private alternate names and addresses, through certain API endpoints. Versions of Gramps WebAPI prior to 3.9.1 are vulnerable. A patch is available in version 3.11.0.
CVE-2026-4032 in the CodeColorer WordPress plugin presents a significant security risk. It allows unauthenticated attackers to inject malicious web scripts into WordPress pages via the 'class' parameter in the 'cc' comment shortcode. When a user visits a page containing this injected script, the script executes automatically in their browser. The potential impact includes cookie theft, redirection to malicious websites, content alteration, and, in severe cases, website control. The vulnerability's severity is compounded by the ease of exploitation, requiring only comments to be enabled and guest comments allowed.
The vulnerability is exploited through the 'cc' shortcode within WordPress comments. An attacker can inject a malicious script into the 'class' parameter of the shortcode. For successful exploitation, comments must be enabled on the target post, and guest comments must be allowed. Once the comment is published, any user visiting the page containing the comment will execute the injected script. This allows the attacker to perform malicious actions in the user's browser, such as stealing sensitive information or redirecting them to dangerous websites.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The most effective mitigation for CVE-2026-4032 is to update the CodeColorer plugin to version 0.10.2 or higher. This version includes the necessary fixes to prevent script injection. If updating is not immediately possible, disabling guest comments or restricting user permissions to create comments is recommended. Additionally, implementing a Web Application Firewall (WAF) can help detect and block exploitation attempts. Regular security audits of the website are also crucial for identifying and addressing potential vulnerabilities.
Update to version 0.10.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
A shortcode is a snippet of code used to insert dynamic content into a WordPress page.
Stored XSS (Cross-Site Scripting) means the malicious script is stored on the server (in this case, in a WordPress comment) and executes every time a user visits the page.
If you are using a version prior to 0.10.2 of the CodeColorer plugin, your website is vulnerable. You can verify the plugin version in the WordPress admin dashboard.
A WAF (Web Application Firewall) is a security tool that protects web applications from malicious attacks, such as XSS.
If you suspect your website has been compromised, you should change all passwords, scan the website for malware, and restore from a clean backup.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.