CVE-2026-4083
Stored XSS in WordPress HTML5 Games Lite Scoreboard Shortcode
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| demonisblack | scoreboard_for_html5_games_lite | to 1.2 (inc) |
| demonisblack | scoreboard_for_html5_games_lite | 1.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Scoreboard for HTML5 Games Lite WordPress plugin (up to version 1.2) is a Stored Cross-Site Scripting (XSS) issue via the 'scoreboard' shortcode. The shortcode function allows arbitrary HTML attributes to be added to the rendered iframe element, but only blocks four specific attribute names. Although attribute names and values are escaped, this does not prevent injection of JavaScript event handler attributes like onfocus or onmouseover, which can contain simple JavaScript payloads that bypass escaping.
Because the shortcode text is stored in post content and expanded to HTML at render time after WordPress's filtering, authenticated users with Contributor-level access or higher can inject malicious scripts into pages. These scripts execute whenever a user visits the infected page, enabling persistent XSS attacks.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with Contributor-level access or above to inject arbitrary JavaScript into pages via the scoreboard shortcode. The injected scripts execute in the context of any user viewing the affected page.
- Attackers can perform actions such as stealing user session cookies, redirecting users to malicious sites, or performing actions on behalf of users without their consent.
- Because the vulnerability is stored (persistent), the malicious code remains active on the site until removed, potentially affecting many users.
- This can lead to compromised user accounts, data theft, and damage to the website's reputation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'scoreboard' shortcode in the Scoreboard for HTML5 Games Lite WordPress plugin versions up to 1.2. Detection involves identifying posts or pages containing the vulnerable shortcode with potentially malicious iframe attributes."}, {'type': 'paragraph', 'content': "To detect exploitation attempts or presence of malicious payloads, you can search your WordPress database for posts containing the '[scoreboard]' shortcode with suspicious attributes such as JavaScript event handlers (e.g., onfocus, onmouseover, onmouseenter) embedded in the shortcode attributes."}, {'type': 'list_item', 'content': 'Run a SQL query on the WordPress database to find posts containing the shortcode with suspicious attributes, for example:'}, {'type': 'list_item', 'content': "SELECT ID, post_title, post_content FROM wp_posts WHERE post_content LIKE '%[scoreboard%' AND (post_content LIKE '%onfocus=%' OR post_content LIKE '%onmouseover=%' OR post_content LIKE '%onmouseenter=%');"}, {'type': 'paragraph', 'content': 'Additionally, monitoring HTTP requests and responses for injected JavaScript in pages rendering the shortcode iframe can help detect active exploitation.'}, {'type': 'list_item', 'content': 'Use tools like curl or wget to fetch pages suspected of being infected and inspect the iframe elements for unexpected event handler attributes.'}, {'type': 'list_item', 'content': 'Example command to fetch and grep for suspicious iframe attributes:'}, {'type': 'list_item', 'content': "curl -s https://example.com/page-with-scoreboard | grep -E 'onfocus=|onmouseover=|onmouseenter='"}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the Scoreboard for HTML5 Games Lite WordPress plugin to version 1.3 or later, as this version includes security hardening that restricts iframe attributes to a safe whitelist and excludes dangerous event handler attributes.'}, {'type': 'paragraph', 'content': 'If immediate updating is not possible, consider removing or disabling the vulnerable shortcode usage in posts or pages, especially those that allow Contributor-level users or above to add content.'}, {'type': 'paragraph', 'content': 'Restrict user permissions to prevent unauthorized users from injecting malicious shortcode attributes.'}, {'type': 'list_item', 'content': 'Update the plugin to version 1.3 or higher.'}, {'type': 'list_item', 'content': "Audit and sanitize existing content containing the '[scoreboard]' shortcode to remove malicious attributes."}, {'type': 'list_item', 'content': 'Limit Contributor-level and higher user permissions to trusted users only.'}, {'type': 'list_item', 'content': 'Monitor and filter HTTP requests and responses for suspicious iframe attribute injections.'}] [2]