PatchSiren cyber security CVE debrief
CVE-2026-12108 looswebstudio CVE debrief
The Highlighting Code Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.0. This vulnerability is due to insufficient input sanitization and output escaping, allowing authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability only affects multi-site installations and installations where unfiltered_html has been disabled. The vulnerability has a CVSS score of 4.4 and a severity of MEDIUM.
- Vendor
- looswebstudio
- Product
- Highlighting Code Block
- CVSS
- MEDIUM 4.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of the Highlighting Code Block plugin for WordPress, particularly those with multi-site installations or installations where unfiltered_html has been disabled, should be aware of this vulnerability. Administrators with administrator-level permissions and above are at risk of being exploited. It is essential to review and update plugins and themes for known vulnerabilities regularly.
Technical summary
The Highlighting Code Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.0. This is due to insufficient input sanitization and output escaping, allowing authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability only affects multi-site installations and installations where unfiltered_html has been disabled.
Defensive priority
Medium priority due to the requirement for administrator-level permissions and the limited scope of impact.
Recommended defensive actions
- Update the Highlighting Code Block plugin to a version beyond 2.2.0.
- Implement additional input sanitization and output escaping measures for admin settings.
- Monitor for suspicious activity related to admin settings changes.
- Consider disabling unfiltered_html if not already done.
- Regularly review and update plugins and themes for known vulnerabilities.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-10T09:16:52.417Z and was last modified on 2026-07-10T19:17:20.007Z. The vulnerability was reported by [email protected]. This vulnerability affects multi-site installations and installations where unfiltered_html has been disabled. There is no evidence of exploitation in the wild. The CVE record does not provide additional details on the vulnerability, but it is related to insufficient input sanitization and output escaping in the Highlighting Code Block plugin for WordPress.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T09:16:52.417Z and has not been modified since then.