CVE-2026-3362

Name of the Vulnerable Software and Affected Versions Short Comment Filter versions prior to 2.3

Description The Short Comment Filter plugin for WordPress contains a Stored Cross-Site Scripting issue. The problem exists because the 'Minimum Count' settings field lacks proper input sanitization and output escaping. Specifically, there is no sanitize callback on register setting and the value is echoed without using esc attr() in the HTML attribute context. Authenticated attackers with administrator-level access or higher can inject arbitrary web scripts into the settings page, which execute when a user visits that page. This is especially significant in WordPress multisite installations or environments where DISALLOW UNFILTERED HTML is enabled, restricting the unfiltered html capability for administrators.

Recommendations Update to a version later than 2.2.