PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12108 looswebstudio CVE debrief

The Highlighting Code Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.0. This vulnerability is due to insufficient input sanitization and output escaping, allowing authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability only affects multi-site installations and installations where unfiltered_html has been disabled. The vulnerability has a CVSS score of 4.4 and a severity of MEDIUM.

Vendor
looswebstudio
Product
Highlighting Code Block
CVSS
MEDIUM 4.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of the Highlighting Code Block plugin for WordPress, particularly those with multi-site installations or installations where unfiltered_html has been disabled, should be aware of this vulnerability. Administrators with administrator-level permissions and above are at risk of being exploited. It is essential to review and update plugins and themes for known vulnerabilities regularly.

Technical summary

The Highlighting Code Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.0. This is due to insufficient input sanitization and output escaping, allowing authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability only affects multi-site installations and installations where unfiltered_html has been disabled.

Defensive priority

Medium priority due to the requirement for administrator-level permissions and the limited scope of impact.

Recommended defensive actions

  • Update the Highlighting Code Block plugin to a version beyond 2.2.0.
  • Implement additional input sanitization and output escaping measures for admin settings.
  • Monitor for suspicious activity related to admin settings changes.
  • Consider disabling unfiltered_html if not already done.
  • Regularly review and update plugins and themes for known vulnerabilities.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-10T09:16:52.417Z and was last modified on 2026-07-10T19:17:20.007Z. The vulnerability was reported by [email protected]. This vulnerability affects multi-site installations and installations where unfiltered_html has been disabled. There is no evidence of exploitation in the wild. The CVE record does not provide additional details on the vulnerability, but it is related to insufficient input sanitization and output escaping in the Highlighting Code Block plugin for WordPress.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T09:16:52.417Z and has not been modified since then.