CVE-2026-3876

Name of the Vulnerable Software and Affected Versions Prismatic versions prior to 3.7.4

Description The Prismatic plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient input sanitization and output escaping on user-supplied attributes within the prismatic decode() function. Unauthenticated attackers can inject arbitrary web scripts into pages by submitting a comment containing a crafted 'prismatic encoded' pseudo-shortcode, which then execute when a user accesses the affected page.

Recommendations Update to a version newer than 3.7.3. As a temporary workaround, restrict the use of the 'prismatic encoded' pseudo-shortcode in user comments.