{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4032", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-12T00:54:16.262Z", "datePublished": "2026-04-16T03:36:35.757Z", "dateUpdated": "2026-04-16T13:01:34.884Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T03:36:35.757Z"}, "affected": [{"vendor": "kpumuk", "product": "CodeColorer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.10.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The CodeColorer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter in 'cc' comment shortcode in versions up to, and including, 0.10.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires comments to be enabled on the target post and guest comments to be allowed."}], "title": "CodeColorer <= 0.10.1 - Unauthenticated Stored Cross-Site Scripting via 'class' attribute in 'cc' Comment Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44fd7e13-f48a-43c6-a735-15036aa03005?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3481552/codecolorer"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Chawabhon Netisingha"}], "timeline": [{"time": "2026-03-12T16:23:42.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-15T15:22:30.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T13:01:28.073488Z", "id": "CVE-2026-4032", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:01:34.884Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4032", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T13:01:28.073488Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:01:31.454Z"}}], "cna": {"title": "CodeColorer <= 0.10.1 - Unauthenticated Stored Cross-Site Scripting via 'class' attribute in 'cc' Comment Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Chawabhon Netisingha"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "kpumuk", "product": "CodeColorer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.10.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-12T16:23:42.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-15T15:22:30.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44fd7e13-f48a-43c6-a735-15036aa03005?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3481552/codecolorer"}], "descriptions": [{"lang": "en", "value": "The CodeColorer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter in 'cc' comment shortcode in versions up to, and including, 0.10.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires comments to be enabled on the target post and guest comments to be allowed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T03:36:35.757Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4032", "state": "PUBLISHED", "dateUpdated": "2026-04-16T13:01:34.884Z", "dateReserved": "2026-03-12T00:54:16.262Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-16T03:36:35.757Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The CodeColorer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter in 'cc' comment shortcode in versions up to, and including, 0.10.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires comments to be enabled on the target post and guest comments to be allowed."}], "id": "CVE-2026-4032", "lastModified": "2026-04-22T20:23:16.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-16T04:17:10.890", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3481552/codecolorer"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44fd7e13-f48a-43c6-a735-15036aa03005?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.10.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "CodeColorer", "source": "cna", "vendor": "kpumuk"}, "product": "codecolorer", "vendor": "kpumuk"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T08:59:39.494105+00:00", "value": {"mitigation_remediation": ["Update CodeColorer to the latest version (0.10.2 or later) to remove the unsanitized 'class' attribute", "Disable guest comments on the WordPress site or remove the 'cc' shortcode from comments entirely", "If an immediate update is not possible, apply proper escaping to the 'class' value in the plugin\u2019s shortcode handling code"], "summary": {"action": "Patch", "impact": "Stored Cross-Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites using the CodeColorer plugin version 0.10.1 or earlier are affected. The vulnerability applies to installations where comments are enabled on the target post and guest comments are permitted. The product is identified as kpumuk:CodeColorer.", "description_and_impact": "The CodeColorer plugin for WordPress is vulnerable to a stored cross\u2011site scripting flaw caused by inadequate input sanitization and output escaping of the 'class' parameter in the 'cc' comment shortcode. An unauthenticated attacker can inject arbitrary JavaScript into a comment, which is stored in the database and delivered to any visitor who views the comment. The injected script runs in the context of the site and can be used to hijack user sessions, deface the site, or perform other malicious client\u2011side actions. The weakness is classified as CWE\u201179.", "risk_and_exploitability": "The vulnerability scores 6.1 on the CVSS scale, indicating a medium severity risk. EPSS is not available, and the issue is not listed in the CISA KEV catalog. The attack vector is web\u2011based and requires unauthenticated access to the comment interface; successful exploitation could impact all users who view the compromised page."}}}}, "created": "2026-04-16T09:00:05.299749+00:00", "updated": "2026-04-16T09:11:57.000078+00:00", "vendors": ["kpumuk", "kpumuk$PRODUCT$codecolorer", "wordpress", "wordpress$PRODUCT$wordpress"]}