What the vulnerability does
01Description
The Short Comment Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Minimum Count' settings field in all versions up to and including 2.2. This is due to insufficient input sanitization (no sanitize callback on register_setting) and missing output escaping (no esc_attr() on the echoed value in the input's value attribute). The option value is stored via update_option() and rendered unescaped in an HTML attribute context. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses that page. This is particularly impactful in WordPress multisite installations or when DISALLOW_UNFILTERED_HTML is set, where administrators are not granted the unfiltered_html capability.
Explanation of Vulnerability in Simple Terms
02Summary
Short Comment Filter versions 2.2 and earlier contain a cross-site scripting (XSS) vulnerability in comment handling. An attacker with high-level privileges can inject malicious scripts that execute in other users' browsers when they view comments. The vulnerability requires specific attack conditions and affects the integrity of comment data across the site.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts into comments that execute when other users view them.
Potential impact on your site
04Site Impact
Attackers with admin/moderator access can compromise other users' sessions or steal data via malicious comments.
Conditions required to exploit
05Prerequisites
Attacker must have high-level site privileges (e.g., admin or moderator role); no user interaction required.
Key dates
06Disclosure timeline
April 22, 2026
CVE published
April 22, 2026
Record updated