The Highlighting Code Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Metrics
Affected Vendors & Products
References
History
Mon, 13 Jul 2026 15:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Looswebstudio
Looswebstudio highlighting Code Block Wordpress Wordpress wordpress |
|
| Vendors & Products |
Looswebstudio
Looswebstudio highlighting Code Block Wordpress Wordpress wordpress |
Fri, 10 Jul 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 10 Jul 2026 09:00:00 +0000
Status: PUBLISHED
Assigner: Wordfence
Published: 2026-07-10T07:48:40.621Z
Updated: 2026-07-10T18:15:41.887Z
Reserved: 2026-06-12T14:32:13.190Z
Link: CVE-2026-12108
Updated: 2026-07-10T18:15:37.874Z
No data.
No data.