CVE-2026-3362 MEDIUM

CVE-2026-3362: Short Comment Filter <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Minimum Count' Setting

Vendor Itsananderson
Product Short Comment Filter
Weakness CWE-79 · XSS
Published April 22, 2026
Last update April 22, 2026

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Short Comment Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Minimum Count' settings field in all versions up to and including 2.2. This is due to insufficient input sanitization (no sanitize callback on register_setting) and missing output escaping (no esc_attr() on the echoed value in the input's value attribute). The option value is stored via update_option() and rendered unescaped in an HTML attribute context. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses that page. This is particularly impactful in WordPress multisite installations or when DISALLOW_UNFILTERED_HTML is set, where administrators are not granted the unfiltered_html capability.

Explanation of Vulnerability in Simple Terms

02Summary

Short Comment Filter versions 2.2 and earlier contain a cross-site scripting (XSS) vulnerability in comment handling. An attacker with high-level privileges can inject malicious scripts that execute in other users' browsers when they view comments. The vulnerability requires specific attack conditions and affects the integrity of comment data across the site.

What an attacker can do

03Attacker Capabilities

Inject malicious scripts into comments that execute when other users view them.

Potential impact on your site

04Site Impact

Attackers with admin/moderator access can compromise other users' sessions or steal data via malicious comments.

Conditions required to exploit

05Prerequisites

Attacker must have high-level site privileges (e.g., admin or moderator role); no user interaction required.

Key dates

06Disclosure timeline

April 22, 2026 CVE published
April 22, 2026 Record updated