{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/prismatic-plugin/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-3876"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Prismatic plugin","WordPress"],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","plugin","prismatic"],"_cs_type":"advisory","_cs_vendors":["Prismatic","WordPress"],"content_html":"\u003cp\u003eThe Prismatic plugin, a WordPress extension, is susceptible to a stored Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-3876. This flaw exists in all versions up to and including 3.7.3. The vulnerability arises due to inadequate input sanitization and output escaping of user-supplied attributes within the 'prismatic_decode' function, which handles the 'prismatic_encoded' pseudo-shortcode. Exploitation occurs when an unauthenticated attacker injects malicious web scripts into a page by submitting a comment containing a specially crafted 'prismatic_encoded' pseudo-shortcode. Successful exploitation allows the attacker to execute arbitrary JavaScript code in the context of a user's browser when they view the compromised page. This could lead to account compromise, data theft, or other malicious actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable Prismatic plugin (version \u0026lt;= 3.7.3).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious comment containing the \u003ccode\u003eprismatic_encoded\u003c/code\u003e pseudo-shortcode. This shortcode includes a payload designed to execute arbitrary JavaScript in the browser. The \u003ccode\u003eprismatic_encoded\u003c/code\u003e value is crafted to bypass weak sanitization.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the comment to a blog post or page on the target WordPress site.\u003c/li\u003e\n\u003cli\u003eThe WordPress application stores the malicious comment, including the embedded XSS payload, in the database.\u003c/li\u003e\n\u003cli\u003eA legitimate user visits the blog post or page where the malicious comment was posted.\u003c/li\u003e\n\u003cli\u003eThe WordPress application renders the page, processing the stored comment and executing the malicious JavaScript code embedded within the \u003ccode\u003eprismatic_encoded\u003c/code\u003e shortcode due to the insufficient output escaping.\u003c/li\u003e\n\u003cli\u003eThe attacker's JavaScript code executes in the user's browser, potentially stealing cookies, redirecting the user to a malicious site, or performing other unauthorized actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability (CVE-2026-3876) allows unauthenticated attackers to inject arbitrary web scripts into WordPress pages. This can lead to a range of malicious outcomes, including account takeover, defacement of the website, redirection of users to phishing sites, and theft of sensitive information. The impact is magnified by the fact that the XSS is stored, meaning that the malicious script will be executed every time a user visits the affected page until the malicious comment is removed or the vulnerability is patched. While the number of affected sites is unknown, any WordPress installation running a vulnerable version of the Prismatic plugin is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Prismatic plugin to the latest version (greater than 3.7.3) to patch the vulnerability (CVE-2026-3876).\u003c/li\u003e\n\u003cli\u003eImplement input validation and output encoding/escaping for all user-supplied data, especially within WordPress plugins, to prevent XSS vulnerabilities.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Prismatic WordPress Plugin XSS Attempt\u003c/code\u003e to identify attempts to exploit the vulnerability through malicious comments containing the \u003ccode\u003eprismatic_encoded\u003c/code\u003e shortcode.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for suspicious POST requests to \u003ccode\u003e/wp-comments-post.php\u003c/code\u003e containing the \u003ccode\u003eprismatic_encoded\u003c/code\u003e string.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-prismatic-xss/","summary":"The Prismatic plugin for WordPress versions 3.7.3 and earlier is vulnerable to stored cross-site scripting (XSS) via the 'prismatic_encoded' pseudo-shortcode, allowing unauthenticated attackers to inject arbitrary web scripts into pages.","title":"Prismatic WordPress Plugin Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-29-prismatic-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Prismatic Plugin","version":"https://jsonfeed.org/version/1.1"}