cleantalk
Vulnerabilities and Security Researches

Prismatic, CVE-2026-3876

CVE, Research URL

CVE-2026-3876

Home page URL

Security reports for Prismatic

Application

Prismatic

Published on
Apr 16, 2026
Research Description
The Prismatic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prismatic_encoded' pseudo-shortcode in all versions up to, and including, 3.7.3. This is due to insufficient input sanitization and output escaping on user-supplied attributes within the 'prismatic_decode' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by submitting a comment containing a crafted 'prismatic_encoded' pseudo-shortcode.
Affected versions
max 3.7.4.
Status
vulnerable
Previous vulnerability researches
Advanced Custom Fields: Table Field (CVE-2025-12067) , Jan 27, 2026
Advanced Custom Fields: Table Field (a4db1680-e0ac-425e-90bf-306bb65b921f) , Jun 07, 2024
New vulnerability
Stripe Payments by Buy Now Plus – Best WordPress Stripe Credit Card Payments Plugin (CVE-2026-1295) , Apr 16, 2026
ZoomifyWP Free (CVE-2026-1187) , Apr 16, 2026
SEATT: Simple Event Attendance (CVE-2026-1983) , Apr 16, 2026
CP Image Store with Slideshow (CVE-2026-0684) , Apr 16, 2026
Payment Page | Best Payment Plugin for Stripe & PayPal (CVE-2026-0751) , Apr 16, 2026