Platform
wordpress
Component
scoreboard-for-html5-game-lite
Opgelost in
1.2.1
CVE-2026-4083 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting the Scoreboard for HTML5 Games Lite plugin for WordPress. This vulnerability allows attackers to inject malicious scripts into the scoreboard shortcode, potentially leading to unauthorized access and data compromise. The vulnerability impacts versions 1.0.0 through 1.2 of the plugin. A patch is available in version 1.3.
An attacker can leverage this XSS vulnerability by injecting malicious JavaScript code through the 'scoreboard' shortcode. Because the plugin allows arbitrary HTML attributes on the <iframe> element, bypassing the limited blacklist, an attacker can inject event handler attributes like onfocus or onmouseover to execute arbitrary code within the context of a user's browser. This could lead to session hijacking, where an attacker steals a user's session cookie and gains unauthorized access to their account. Furthermore, attackers could redirect users to malicious websites, deface the website, or steal sensitive data entered into forms on the affected WordPress site. The blast radius extends to all users interacting with pages containing the vulnerable shortcode.
CVE-2026-4083 was published on March 20, 2026. Severity is assessed as Medium (CVSS 6.4). No public exploits or proof-of-concept code have been identified at the time of writing. There is no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not currently listed on CISA Known Exploited Vulnerabilities (KEV) catalog, nor does it have an EPSS score.
Exploit Status
EPSS
0.05% (15% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-4083 is to upgrade the Scoreboard for HTML5 Games Lite plugin to version 1.3 or later, which contains the fix. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious HTML attributes within the 'scoreboard' shortcode. Specifically, block any attributes beyond the explicitly whitelisted ones (sameheightas, onload, onpageshow, onclick). Additionally, carefully review any user-supplied input used within the shortcode and sanitize it appropriately. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload through the 'scoreboard' shortcode and verifying that it is not executed.
Update to version 1.3, or a newer patched version
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
It's a Stored Cross-Site Scripting (XSS) vulnerability in the Scoreboard for HTML5 Games Lite WordPress plugin, allowing attackers to inject malicious scripts.
If you're using Scoreboard for HTML5 Games Lite versions 1.0.0 through 1.2 on your WordPress site, you are potentially affected.
Upgrade the plugin to version 1.3 or later. If upgrading isn't immediately possible, implement a WAF rule to block suspicious HTML attributes.
Currently, there's no public evidence of active exploitation or known proof-of-concept code for this vulnerability.
Refer to the official WordPress vulnerability database and the plugin developer's website for updates and further information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.