PatchSiren cyber security CVE debrief

CVE-2026-8875 cuamckuy CVE debrief

A stored cross-site scripting (XSS) vulnerability exists in the Easy Prism Syntax Highlighter WordPress plugin, affecting versions up to and including 1.0.2. The flaw resides in the plugin's shortcode handler function, where user-supplied positional attributes are concatenated directly into HTML class attributes without proper sanitization or escaping. Specifically, the 'code' and 'c' shortcodes accept a language identifier as their first positional argument, which is then inserted into the class attribute of generated <pre> and <code> elements. The absence of esc_attr() or equivalent escaping functions allows authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript payloads. When a page containing a malicious shortcode is viewed, the injected script executes in the context of the victim's browser session. The vulnerability was disclosed on 2026-05-27 and carries a CVSS 3.1 score of 6.4 (Medium severity). The attack vector is network-based, requires low attack complexity, and low privileges, with no user interaction needed. The scope is changed due to the ability to affect components beyond the vulnerable module.

Vendor: cuamckuy
Product: Easy Prism Syntax Highlighter
CVSS: MEDIUM 6.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-27
Advisory published: 2026-05-27
Advisory updated: 2026-05-27

Who should care

WordPress site administrators using Easy Prism Syntax Highlighter plugin; security teams managing WordPress installations; developers maintaining WordPress plugins with shortcode functionality; organizations with contributor-level users who may have been compromised

Technical summary

The vulnerability exists in the shortcode() function of PrismSyntaxHighlither.php. The plugin registers 'code' and 'c' shortcodes that accept a language parameter as the first positional attribute. This parameter is directly concatenated into the HTML output: $class = 'language-' . $atts[0]; without calling esc_attr(), wp_kses(), or similar sanitization functions. The resulting HTML structure <pre class='$class'><code class='$class'> allows attribute injection when the attacker provides a payload such as 'php onmouseover=alert(1)//'. The generated HTML becomes <pre class='language-php onmouseover=alert(1)//'>, executing the injected JavaScript when the element is interacted with or in certain browser contexts. The vulnerability requires authenticated access with contributor privileges or higher, as these roles can create and publish posts containing shortcodes. The stored nature of the XSS means the payload persists in the database and executes for all users viewing the affected page.

Defensive priority

medium

Recommended defensive actions

Update Easy Prism Syntax Highlighter plugin to a version newer than 1.0.2 if available, or remove the plugin if no patch is released
Review existing posts and pages for suspicious shortcode usage, particularly [code] and [c] shortcodes with unusual class attribute values
Implement Content Security Policy (CSP) headers to mitigate impact of any stored XSS payloads
Consider using WordPress hooks to disable the affected shortcodes temporarily if patching is delayed
Audit user accounts with contributor or higher privileges for signs of compromise
Apply principle of least privilege by reviewing and restricting contributor-level access where unnecessary

Evidence notes

Vulnerability confirmed via Wordfence security advisory and source code analysis of the affected plugin files at lines 116 and 123 of PrismSyntaxHighlither.php. The CWE-79 classification (Improper Neutralization of Input During Web Page Generation) is assigned by the original reporter. CVSS vector confirms network attack vector, low privileges required, and changed scope indicating impact beyond the vulnerable component.

Official resources

2026-05-27