CVE-2026-4083 in Scoreboard for HTML5 Games Lite Plugin
Summary
by MITRE • 03/21/2026
The Scoreboard for HTML5 Games Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'scoreboard' shortcode in all versions up to, and including, 1.2. The shortcode function sfhg_shortcode() allows arbitrary HTML attributes to be added to the rendered <iframe> element, with only a small blacklist of four attribute names (same_height_as, onload, onpageshow, onclick) being blocked. While the attribute names are passed through esc_html() and values through esc_attr(), this does not prevent injection of JavaScript event handler attributes like onfocus, onmouseover, onmouseenter, etc., because these attribute names and simple JavaScript payloads contain no characters that would be modified by these escaping functions. The shortcode text is stored in post_content and is only expanded to HTML at render time, after WordPress's kses filtering has already been applied to the raw post content. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability identified as CVE-2026-4083 affects the Scoreboard for HTML5 Games Lite WordPress plugin, presenting a critical stored cross-site scripting risk that can be exploited by authenticated users with contributor-level privileges or higher. This security flaw exists within the plugin's shortcode functionality, specifically in the sfhg_shortcode() function that processes the 'scoreboard' shortcode. The vulnerability stems from insufficient input validation and sanitization mechanisms that fail to adequately filter potentially dangerous HTML attributes, creating a persistent XSS vector that can compromise user sessions and execute malicious code in the context of affected websites.
The technical implementation of this vulnerability occurs through the plugin's handling of HTML attributes within the rendered iframe element. While the plugin employs basic escaping functions esc_html() and esc_attr() to process attribute names and values, these functions prove insufficient against the specific attack vector. The security mechanism only blocks four predefined attribute names including same_height_as, onload, onpageshow, and onclick, leaving numerous other JavaScript event handler attributes such as onfocus, onmouseover, and onmouseenter unfiltered. These attributes can contain malicious JavaScript payloads that bypass the escaping mechanisms because the escaping functions do not modify characters that would be present in standard JavaScript event handlers, allowing attackers to inject functional XSS payloads that execute in the victim's browser context.
The operational impact of this vulnerability extends beyond simple data theft or session hijacking, as it enables attackers to perform sophisticated attacks through the compromised WordPress installation. Since the shortcode content is stored in post_content and processed during rendering after WordPress's kses filtering has already been applied, the vulnerability creates a persistent threat that can affect multiple users who access pages containing the malicious shortcode. This stored XSS vulnerability allows attackers to inject malicious scripts that will execute whenever any user views a page containing the compromised shortcode, potentially enabling session theft, credential harvesting, or redirection to malicious sites. The vulnerability affects all versions up to and including 1.2, indicating that a significant portion of users may be exposed to this risk without awareness.
Security mitigations for this vulnerability should focus on implementing comprehensive input validation and attribute filtering mechanisms that go beyond simple blacklisting approaches. The plugin should employ a whitelist-based approach for HTML attributes, explicitly defining which attributes are permitted and rejecting all others, rather than relying on a limited blacklist that fails to account for the full spectrum of potentially dangerous JavaScript event handlers. Additionally, the escaping functions should be enhanced to properly sanitize all attribute names and values, including those that might contain JavaScript event handlers. The security implementation should also consider implementing Content Security Policy headers to provide an additional layer of protection against XSS attacks. This vulnerability aligns with CWE-79 - Improper Neutralization of Input During Web Page Generation, and represents a technique commonly associated with ATT&CK tactic TA0001 - Initial Access and technique T1190 - Exploit Public-Facing Application, emphasizing the need for proper input validation and output encoding in web applications. Organizations should immediately update to patched versions of the plugin, implement additional monitoring for suspicious shortcode usage, and conduct security reviews of other plugins that may employ similar attribute handling patterns.