CVE-2026-3512

EUVD-2026-12783

18.03.2026, 07:16

The Writeprint Stylometry plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'p' GET parameter in all versions up to and including 0.1. This is due to insufficient input sanitization and output escaping in the bjl_wprintstylo_comments_nav() function. The function directly outputs the $_GET['p'] parameter into an HTML href attribute without any escaping. This makes it possible for authenticated attackers with Contributor-level permissions or higher to inject arbitrary web scripts in pages that execute if they can successfully trick another user into performing an action such as clicking on a link.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Wordfence	CNA	6.1 MEDIUM				CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://plugins.trac.wordpress.org/browser/writeprint-stylometry/tags/0.1/writeprint-stylometry.php#L341

https://plugins.trac.wordpress.org/browser/writeprint-stylometry/tags/0.1/writeprint-stylometry.php#L345

https://plugins.trac.wordpress.org/browser/writeprint-stylometry/trunk/writeprint-stylometry.php#L341

https://plugins.trac.wordpress.org/browser/writeprint-stylometry/trunk/writeprint-stylometry.php#L345

https://www.wordfence.com/threat-intel/vulnerabilities/id/5a614ce5-faa4-4b27-84bd-f15f8652d477?source=cve