平台
wordpress
组件
scoreboard-for-html5-game-lite
修复版本
1.2.1
CVE-2026-4083 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting the Scoreboard for HTML5 Games Lite plugin for WordPress. This vulnerability allows attackers to inject malicious scripts into the scoreboard shortcode, potentially leading to unauthorized access and data compromise. The vulnerability impacts versions 1.0.0 through 1.2 of the plugin. A patch is available in version 1.3.
An attacker can leverage this XSS vulnerability by injecting malicious JavaScript code through the 'scoreboard' shortcode. Because the plugin allows arbitrary HTML attributes on the <iframe> element, bypassing the limited blacklist, an attacker can inject event handler attributes like onfocus or onmouseover to execute arbitrary code within the context of a user's browser. This could lead to session hijacking, where an attacker steals a user's session cookie and gains unauthorized access to their account. Furthermore, attackers could redirect users to malicious websites, deface the website, or steal sensitive data entered into forms on the affected WordPress site. The blast radius extends to all users interacting with pages containing the vulnerable shortcode.
CVE-2026-4083 was published on March 20, 2026. Severity is assessed as Medium (CVSS 6.4). No public exploits or proof-of-concept code have been identified at the time of writing. There is no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not currently listed on CISA Known Exploited Vulnerabilities (KEV) catalog, nor does it have an EPSS score.
漏洞利用状态
EPSS
0.05% (15% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-4083 is to upgrade the Scoreboard for HTML5 Games Lite plugin to version 1.3 or later, which contains the fix. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious HTML attributes within the 'scoreboard' shortcode. Specifically, block any attributes beyond the explicitly whitelisted ones (sameheightas, onload, onpageshow, onclick). Additionally, carefully review any user-supplied input used within the shortcode and sanitize it appropriately. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload through the 'scoreboard' shortcode and verifying that it is not executed.
Update to version 1.3, or a newer patched version
漏洞分析和关键警报直接发送到您的邮箱。
It's a Stored Cross-Site Scripting (XSS) vulnerability in the Scoreboard for HTML5 Games Lite WordPress plugin, allowing attackers to inject malicious scripts.
If you're using Scoreboard for HTML5 Games Lite versions 1.0.0 through 1.2 on your WordPress site, you are potentially affected.
Upgrade the plugin to version 1.3 or later. If upgrading isn't immediately possible, implement a WAF rule to block suspicious HTML attributes.
Currently, there's no public evidence of active exploitation or known proof-of-concept code for this vulnerability.
Refer to the official WordPress vulnerability database and the plugin developer's website for updates and further information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。