CVE-2026-3362 is a stored cross-site scripting vulnerability in the itsananderson Short Comment Filter WordPress plugin, affecting all versions up to 2.2. The flaw arises because the 'Minimum Count' setting does not use a sanitize callback during register_setting and fails to escape output with esc_attr() when rendering the value in an HTML attribute context. The malicious input is stored via update_option() and executed when the settings page is viewed. This allows authenticated users with administrator privileges to inject arbitrary JavaScript, which executes in the context of the WordPress admin interface. The vulnerability is more impactful in WordPress multisite environments or when DISALLOW_UNFILTERED_HTML is enabled, as administrators lack the unfiltered_html capability, limiting their ability to safely input HTML.

An authenticated attacker with administrator-level access can inject and execute arbitrary JavaScript in the WordPress admin settings page of the Short Comment Filter plugin. This can lead to unauthorized actions within the admin interface, potentially compromising site integrity or user sessions. The vulnerability does not require user interaction and affects multisite installations or setups with restricted HTML capabilities, increasing its potential impact. However, the attack surface is limited to users with high privileges, and no known exploits are reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict administrator access to trusted users only and monitor plugin updates from itsananderson for an official patch. Avoid using the vulnerable versions of the Short Comment Filter plugin in sensitive environments, especially multisite installations or where DISALLOW_UNFILTERED_HTML is set.