CVE-2026-4083

Name of the Vulnerable Software and Affected Versions Scoreboard for HTML5 Games Lite plugin for WordPress versions up to and including 1.2

Description The Scoreboard for HTML5 Games Lite plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'scoreboard' shortcode. The sfhg shortcode() function permits the addition of arbitrary HTML attributes to the rendered <iframe> element, with a limited blacklist of four attribute names (same height as, onload, onpageshow, onclick). While attribute names are processed by esc html() and values by esc attr(), this does not prevent the injection of JavaScript event handler attributes such as onfocus, onmouseover, and onmouseenter, as these attributes and simple JavaScript payloads do not contain characters modified by these escaping functions. The shortcode text is stored in post content and rendered to HTML after WordPress’s kses filtering, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages, which will execute when a user accesses the injected page.

Recommendations Versions prior to 1.3 are vulnerable. Update to a version greater than 1.2 to address this issue.