cleantalk
Vulnerabilities and Security Researches

Short Comment Filter, CVE-2026-3362

CVE, Research URL

CVE-2026-3362

Home page URL

Security reports for Short Comment Filter

Application

Short Comment Filter

Published on
Apr 22, 2026
Research Description
The Short Comment Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Minimum Count' settings field in all versions up to and including 2.2. This is due to insufficient input sanitization (no sanitize callback on register_setting) and missing output escaping (no esc_attr() on the echoed value in the input's value attribute). The option value is stored via update_option() and rendered unescaped in an HTML attribute context. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses that page. This is particularly impactful in WordPress multisite installations or when DISALLOW_UNFILTERED_HTML is set, where administrators are not granted the unfiltered_html capability.
Affected versions
max 2.2.
Status
vulnerable
Previous vulnerability researches
Booking Calendar – Clockwork SMS (CVE-2017-17780) , Jun 07, 2024
Booking Calendar – Clockwork SMS (CVE-2017-18555) , Jun 07, 2024
New vulnerability
The Events Calendar (CVE-2025-9807) , Apr 24, 2026
The Events Calendar (CVE-2025-9808) , Apr 24, 2026
Sendmachine for WordPress (CVE-2026-6235) , Apr 24, 2026
Emailchef (CVE-2026-1930) , Apr 24, 2026
All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier (CVE-2025-6833) , Apr 24, 2026