Vulnerabilities ›

CVE-2026-4032

Medium

CWE-79 — Weakness Type

                    Published: Apr 16, 2026                      ·  Modified: Apr 19, 2026                      ·  Source: NVD                

CVSS v3

6.1

🔗 NVD Official

📄 Description (English)

The CodeColorer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter in 'cc' comment shortcode in versions up to, and including, 0.10.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires comments to be enabled on the target post and guest comments to be allowed.

🤖 AI Executive Summary

The CodeColorer WordPress plugin versions up to 0.10.1 contains a Stored Cross-Site Scripting vulnerability in the 'class' parameter of the 'cc' comment shortcode due to insufficient input sanitization. Unauthenticated attackers can inject malicious scripts that execute when users access affected pages, requiring only that comments and guest comments are enabled.

📄 Description (Arabic)

تحتوي إضافة CodeColorer لـ WordPress على ثغرة Stored XSS في معامل 'class' الخاص باختصار التعليقات 'cc' بسبب عدم كفاية تنظيف المدخلات والمخرجات. يمكن للمهاجمين غير المصرح لهم حقن نصوص برمجية ضارة في التعليقات التي تُنفذ عند وصول المستخدمين إلى الصفحات المتأثرة. تتطلب الاستغلال تفعيل التعليقات وتعليقات الضيوف على المنشورات المستهدفة.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 23, 2026 05:16

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government healthcare banking telecom

🎯 MITRE ATT&CK Techniques

T1190 T1598 T1566

⚖️ Saudi Risk Score (AI)

6.0

/ 10.0

🔧 Remediation Steps (English)

Update CodeColorer plugin to version 0.10.2 or later immediately. Disable guest comments if not required. Implement Web Application Firewall rules to filter malicious comment submissions. Review and sanitize all existing comments for injected scripts. Enable WordPress security plugins for additional XSS protection.

🔧 خطوات المعالجة (العربية)

قم بتحديث إضافة CodeColorer إلى الإصدار 0.10.2 أو أحدث فوراً. عطّل تعليقات الضيوف إذا لم تكن مطلوبة. طبّق قواعد جدار حماية تطبيقات الويب لتصفية تعليقات ضارة. راجع جميع التعليقات الموجودة للتحقق من وجود نصوص برمجية محقونة. فعّل إضافات أمان WordPress للحماية الإضافية من XSS.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.7.1.1 A.7.1.2 A.12.6.1 A.14.2.1

🔵 SAMA CSF

ID.GV-2 PR.DS-1 PR.DS-2 DE.CM-1

🟡 ISO 27001:2022

A.14.2.1 A.14.2.5 A.12.6.1

🔗 References & Sources 2

🔗

https://plugins.trac.wordpress.org/changeset/3481552/codecolorer

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/44fd7e13-f48a-43c6-a735-15036...

security@wordfence.com

📊 CVSS Score

6.1

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionR — Required

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.1

CWECWE-79

EPSS0.02%

Exploit No

Patch ✗ No

Published 2026-04-16

Source Feed nvd

🇸🇦 Saudi Risk Score

6.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-79

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-4032

Introduce Yourself

Sign In Required