cleantalk
Vulnerabilities and Security Researches

Prismatic, CVE-2026-3876

CVE, Research URL

CVE-2026-3876

Home page URL

Security reports for Prismatic

Application

Prismatic

Published on
Apr 16, 2026
Research Description
The Prismatic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prismatic_encoded' pseudo-shortcode in all versions up to, and including, 3.7.3. This is due to insufficient input sanitization and output escaping on user-supplied attributes within the 'prismatic_decode' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by submitting a comment containing a crafted 'prismatic_encoded' pseudo-shortcode.
Affected versions
max 3.7.4.
Status
vulnerable
Previous vulnerability researches
GatorMail SmartForms (CVE-2024-11386) , Jan 12, 2025
New vulnerability
Church Admin (CVE-2026-0682) , Apr 16, 2026
Stripe Payments by Buy Now Plus – Best WordPress Stripe Credit Card Payments Plugin (CVE-2026-1295) , Apr 16, 2026
ZoomifyWP Free (CVE-2026-1187) , Apr 16, 2026
SEATT: Simple Event Attendance (CVE-2026-1983) , Apr 16, 2026
CP Image Store with Slideshow (CVE-2026-0684) , Apr 16, 2026