PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10092 nicashmu CVE debrief

The Cincopa video and media plug-in plugin for WordPress is vulnerable to Stored Cross-Site Scripting via cincopa Shortcode in Post Comments in all versions up to, and including, 1.163. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The plugin processes the [cincopa] shortcode via a comment_text filter hook, allowing unauthenticated visitors who can post comments to supply a malicious shortcode argument that persists in the database. The vulnerability has a CVSS score of 7.2 and is classified as HIGH severity. The CVE record was published on June 24, 2026, and last modified on June 25, 2026.

Vendor
nicashmu
Product
Cincopa video and media plug-in
CVSS
HIGH 7.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-24
Original CVE updated
2026-06-25
Advisory published
2026-06-24
Advisory updated
2026-06-25

Who should care

WordPress users who have installed the Cincopa video and media plug-in plugin, especially those who allow public comments on their site, should be aware of this vulnerability. Additionally, security teams responsible for monitoring and patching WordPress installations should prioritize this vulnerability due to its high severity and potential for exploitation.

Technical summary

The Cincopa video and media plug-in plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the cincopa Shortcode in Post Comments. The vulnerability exists in all versions up to and including 1.163. The plugin's processing of the [cincopa] shortcode via a comment_text filter hook allows unauthenticated visitors who can post comments to supply a malicious shortcode argument. This argument persists in the database and can be executed whenever a user accesses an injected page. The vulnerability is caused by insufficient input sanitization and output escaping. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N.

Defensive priority

High priority should be given to patching this vulnerability due to its high CVSS score of 7.2 and the potential for unauthenticated exploitation. Immediate action is recommended to prevent potential attacks.

Recommended defensive actions

  • Patch the Cincopa video and media plug-in plugin to version 1.164 or later.
  • Limit comment posting to authenticated users or implement strict input validation for comments.
  • Monitor for suspicious comment activity and injected scripts.
  • Consider implementing a Web Application Firewall (WAF) to detect and prevent XSS attacks.
  • Regularly update and patch all WordPress plugins and themes.

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. Additional references from Wordfence provide further details about the vulnerability and its exploitation. The CVE record was published on June 24, 2026, and last modified on June 25, 2026.

Official resources

This article is AI-assisted and based on the supplied source corpus.