CVE-2026-12108 in Highlighting Code Block Plugininfo

Summary

by MITRE • 07/10/2026

The Highlighting Code Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/10/2026

The Highlighting Code Block plugin for WordPress presents a critical stored cross-site scripting vulnerability that undermines the security posture of affected installations. This flaw exists within the plugin's admin settings handling mechanism and affects all versions up to and including 2.2.0, creating a persistent threat vector that can compromise user sessions and execute malicious code within the context of privileged administrator accounts. The vulnerability specifically targets the sanitization and escaping of user inputs during the configuration process, allowing attackers to inject malicious scripts that persist in the plugin's stored settings.

The technical implementation of this vulnerability stems from inadequate input validation and output escaping mechanisms within the plugin's administrative interface. When administrators configure the plugin settings, the system fails to properly sanitize or escape potentially malicious content submitted through form fields, creating a condition where attacker-controlled scripts can be stored in the WordPress database alongside legitimate configuration data. This stored content is then executed whenever any user accesses pages that utilize the highlighted code blocks, effectively turning the plugin into a vehicle for persistent script injection attacks.

Operational impact of this vulnerability extends beyond simple script execution, as it provides authenticated attackers with elevated privileges to manipulate the WordPress environment according to their malicious intent. The attack requires only administrator-level permissions or higher, making it particularly dangerous in environments where administrative accounts are compromised or where privilege escalation occurs through other means. The vulnerability's exploitation is limited to multi-site installations and configurations where unfiltered_html has been disabled, but these restrictions do not mitigate the severity of the threat. Attackers can leverage this weakness to establish persistent backdoors, steal session cookies, redirect users to malicious sites, or execute arbitrary commands on the affected server.

The security implications align with CWE-79 which addresses Cross-Site Scripting vulnerabilities in web applications, and the attack pattern corresponds to ATT&CK technique T1548.003 for Abuse of Functionality and T1566.001 for Spearphishing Attachment. Organizations using this plugin should immediately implement mitigation strategies including immediate plugin updates to versions that address the vulnerability, implementing strict input validation measures, and conducting thorough security audits of administrative configurations. Additionally, network monitoring should be enhanced to detect suspicious script injection patterns, and privileged account access should be closely monitored for unauthorized modifications to plugin settings. The vulnerability demonstrates the critical importance of proper input sanitization and output escaping in web applications, particularly within content management systems where administrators have broad control over user-facing functionality.

This issue exemplifies how seemingly innocuous administrative features can become attack vectors when proper security controls are absent from plugin development processes. The stored nature of the XSS vulnerability means that malicious scripts remain persistent even after initial exploitation, allowing attackers to maintain access and continue executing code across multiple user sessions without requiring repeated injection attempts. Organizations should consider implementing additional layers of protection including web application firewalls, regular security scanning of plugin configurations, and mandatory security training for administrators regarding the risks associated with plugin management in WordPress environments.

Responsible

Wordfence

Reservation

06/12/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!