CVE-2026-4083 is a stored cross-site scripting vulnerability identified in the Scoreboard for HTML5 Games Lite plugin for WordPress, affecting all versions up to and including 1.2. The vulnerability stems from the shortcode function sfhg_shortcode(), which allows arbitrary HTML attributes to be added to the rendered <iframe> element. Although the plugin blocks four specific attribute names (same_height_as, onload, onpageshow, onclick), it fails to block other JavaScript event handler attributes such as onfocus, onmouseover, and onmouseenter. The attribute names are sanitized using esc_html(), and values with esc_attr(), but these escaping functions do not prevent injection of JavaScript event handlers because these attribute names and simple JavaScript payloads do not contain characters altered by these functions. The shortcode content is stored in the WordPress post_content field and expanded to HTML at render time, after WordPress's kses filtering has been applied, which does not sanitize the injected attributes effectively. This flaw enables authenticated attackers with Contributor-level access or higher to inject arbitrary scripts that execute in the context of any user viewing the page containing the injected shortcode. The vulnerability has a CVSS v3.1 score of 6.4, reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and a scope change with partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability poses a risk of session hijacking, credential theft, or other malicious actions via script execution.

The primary impact of CVE-2026-4083 is the potential for attackers with Contributor-level WordPress access to inject persistent malicious scripts into pages, which execute in the browsers of any users visiting those pages. This can lead to theft of sensitive user information such as session cookies, credentials, or personal data, compromising confidentiality. Integrity can also be affected if attackers manipulate page content or perform actions on behalf of users. Although availability is not impacted, the breach of trust and potential data leakage can have significant reputational and operational consequences for organizations. Since the vulnerability requires authenticated access, it primarily threatens sites with multiple contributors or less restrictive user role management. The scope is broad because the plugin is publicly available and used worldwide, especially in gaming or entertainment-related WordPress sites. The vulnerability could be leveraged in targeted attacks against site administrators or visitors, potentially facilitating further compromise or lateral movement within organizational networks.

To mitigate CVE-2026-4083, organizations should immediately restrict shortcode usage to trusted user roles, ideally limiting it to Administrator-level users only. Implement strict input validation and sanitization for all shortcode attributes, explicitly disallowing any JavaScript event handler attributes beyond the current blacklist. Employ a whitelist approach for allowed attributes rather than blacklisting specific names. Update or patch the plugin once a vendor fix is released; if no patch is available, consider disabling or replacing the plugin with a secure alternative. Additionally, monitor WordPress user roles and permissions to prevent unauthorized privilege escalation. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of injected scripts. Regularly audit site content for unexpected or suspicious shortcode usage or iframe attributes. Educate content contributors about the risks of injecting untrusted content and enforce secure development practices for custom shortcodes or plugins.