CVE-2026-3362: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in itsananderson Short Comment Filter
The Short Comment Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Minimum Count' settings field in all versions up to and including 2.2. This is due to insufficient input sanitization (no sanitize callback on register_setting) and missing output escaping (no esc_attr() on the echoed value in the input's value attribute). The option value is stored via update_option() and rendered unescaped in an HTML attribute context. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses that page. This is particularly impactful in WordPress multisite installations or when DISALLOW_UNFILTERED_HTML is set, where administrators are not granted the unfiltered_html capability.
AI Analysis
Technical Summary
CVE-2026-3362 is a stored cross-site scripting vulnerability in the itsananderson Short Comment Filter WordPress plugin, affecting all versions up to 2.2. The issue arises from lack of sanitization on the 'Minimum Count' settings field and absence of escaping when rendering the stored option value in an HTML attribute context. Authenticated users with administrator privileges can exploit this to inject malicious scripts into the settings page, which execute upon page access. This vulnerability is more impactful in multisite environments or when DISALLOW_UNFILTERED_HTML is set, limiting administrators' capabilities.
Potential Impact
An authenticated attacker with administrator-level access can inject and execute arbitrary JavaScript in the plugin's settings page. This could lead to session hijacking, privilege escalation, or other attacks against users accessing that page. The vulnerability does not affect unauthenticated users and requires high privileges to exploit. There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict administrator access to trusted users only and monitor for suspicious activity. Avoid using the affected plugin version in high-risk environments, especially multisite installations or where unfiltered HTML capabilities are restricted.
CVE-2026-3362: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in itsananderson Short Comment Filter
Description
The Short Comment Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Minimum Count' settings field in all versions up to and including 2.2. This is due to insufficient input sanitization (no sanitize callback on register_setting) and missing output escaping (no esc_attr() on the echoed value in the input's value attribute). The option value is stored via update_option() and rendered unescaped in an HTML attribute context. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses that page. This is particularly impactful in WordPress multisite installations or when DISALLOW_UNFILTERED_HTML is set, where administrators are not granted the unfiltered_html capability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-3362 is a stored cross-site scripting vulnerability in the itsananderson Short Comment Filter WordPress plugin, affecting all versions up to 2.2. The issue arises from lack of sanitization on the 'Minimum Count' settings field and absence of escaping when rendering the stored option value in an HTML attribute context. Authenticated users with administrator privileges can exploit this to inject malicious scripts into the settings page, which execute upon page access. This vulnerability is more impactful in multisite environments or when DISALLOW_UNFILTERED_HTML is set, limiting administrators' capabilities.
Potential Impact
An authenticated attacker with administrator-level access can inject and execute arbitrary JavaScript in the plugin's settings page. This could lead to session hijacking, privilege escalation, or other attacks against users accessing that page. The vulnerability does not affect unauthenticated users and requires high privileges to exploit. There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict administrator access to trusted users only and monitor for suspicious activity. Avoid using the affected plugin version in high-risk environments, especially multisite installations or where unfiltered HTML capabilities are restricted.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-27T19:52:23.019Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8876c19fe3cd2cd808cb9
Added to database: 4/22/2026, 8:31:40 AM
Last enriched: 4/22/2026, 9:02:45 AM
Last updated: 4/23/2026, 3:27:02 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.