CVE-2026-8875

Vulnerability

The Easy Prism Syntax Highlighter plugin for WordPress versions up to and including 1.0.2 contains a stored cross-site scripting vulnerability in its shortcode() function, which handles the [code] and [c] shortcodes. The function concatenates the first positional attribute directly into the class attribute of the generated ` or HTML without calling esc_attr()` or any other escaping function [1][2]. This insufficient input sanitization and output escaping allows injection of arbitrary HTML and JavaScript.

Exploitation

An authenticated attacker with at least contributor-level access can craft a post or page containing a shortcode like [code attacker-controlled] where the attribute value includes a malicious payload, such as " onclick=alert(1). When the shortcode is processed, the payload is inserted into the class attribute without escaping, breaking out of the attribute and injecting event handlers or script tags. The injected script executes in the browser of any user who views the affected page.

Impact

Successful exploitation leads to stored cross-site scripting (XSS). The attacker can execute arbitrary JavaScript in the context of the victim's session, potentially stealing cookies, session tokens, or performing actions on behalf of the victim. Since the XSS is stored, it affects all visitors to the compromised page, including administrators.

Mitigation

The vendor has not released a patched version as of the publication date. Users should disable the plugin until a fix is available. Alternatively, restrict contributor-level access to trusted users only. The plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at this time.