CVE-2026-3512 Overview
The Writeprint Stylometry plugin for WordPress contains a Reflected Cross-Site Scripting (XSS) vulnerability in all versions up to and including 0.1. The vulnerability exists due to insufficient input sanitization and output escaping in the bjl_wprintstylo_comments_nav() function. The function directly outputs the $_GET['p'] parameter into an HTML href attribute without any escaping, allowing attackers to inject malicious JavaScript code that executes in the context of a victim's browser session.
Critical Impact
Authenticated attackers with Contributor-level permissions or higher can inject arbitrary web scripts that execute when a user clicks on a malicious link, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of the victim.
Affected Products
- Writeprint Stylometry WordPress Plugin version 0.1 and earlier
- WordPress installations with Writeprint Stylometry plugin enabled
- All users with Contributor-level or higher permissions are potential attack vectors
Discovery Timeline
- 2026-03-18 - CVE-2026-3512 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-3512
Vulnerability Analysis
This Reflected XSS vulnerability stems from improper handling of user-supplied input in the WordPress plugin's navigation functionality. The bjl_wprintstylo_comments_nav() function accepts the p GET parameter and incorporates it directly into the page's HTML output without proper sanitization or encoding. When a victim clicks on a crafted URL containing malicious JavaScript in the p parameter, the script executes within the victim's authenticated session context.
The vulnerability requires user interaction (clicking a malicious link) and can be exploited by authenticated attackers with at least Contributor-level access. Due to the reflected nature of this XSS, the attack vector is particularly effective in social engineering scenarios where attackers can distribute malicious links through various channels.
Root Cause
The root cause of this vulnerability is the failure to implement proper output escaping when rendering user-controlled input. Specifically, the $_GET['p'] parameter is directly concatenated into an HTML href attribute in the plugin's source code at lines 341-345 of writeprint-stylometry.php. WordPress provides built-in escaping functions such as esc_attr() and esc_url() that should be used when outputting user input into HTML attributes, but these were not implemented in the vulnerable code.
Attack Vector
The attack is network-based and requires an attacker to craft a malicious URL containing JavaScript payload in the p GET parameter. The attacker must then convince a victim with an active WordPress session to click the malicious link. Upon clicking, the JavaScript executes in the victim's browser with the same privileges as the authenticated user, potentially allowing:
- Session token theft via document.cookie access
- Keylogging and form data interception
- Unauthorized actions performed on behalf of the victim
- Defacement of page content visible to the victim
- Redirection to phishing sites
The attack payload would be constructed by appending a JavaScript payload to the p parameter value, which gets reflected in the page's href attribute without encoding, breaking out of the attribute context and executing arbitrary scripts.
Detection Methods for CVE-2026-3512
Indicators of Compromise
- Review web server access logs for requests containing suspicious JavaScript patterns in the p GET parameter
- Look for encoded script tags or event handlers (<script>, onerror=, onload=, etc.) in URL parameters
- Monitor for unusual URL patterns targeting the Writeprint Stylometry plugin endpoints
- Check for reports from users about unexpected browser behavior or redirects
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect and block XSS payloads in GET parameters
- Implement Content Security Policy (CSP) headers to mitigate the impact of successful XSS exploitation
- Use browser-based XSS auditors and protection mechanisms where available
- Configure intrusion detection systems to alert on common XSS attack patterns in HTTP requests
Monitoring Recommendations
- Enable detailed logging for all requests to WordPress plugin endpoints
- Set up alerts for HTTP requests containing encoded or plain JavaScript patterns in query strings
- Monitor Content Security Policy violation reports for XSS attempt indicators
- Regularly audit plugin source code for similar input validation issues
How to Mitigate CVE-2026-3512
Immediate Actions Required
- Immediately disable the Writeprint Stylometry plugin until a patched version is available
- Review web server logs for evidence of exploitation attempts
- Implement WAF rules to block requests with suspicious payloads in the p parameter
- Consider implementing Content Security Policy headers to reduce XSS impact
Patch Information
As of the last update on 2026-03-18, no official patch has been released for this vulnerability. Organizations should monitor the Wordfence Vulnerability Report for updates on patch availability. The vulnerable code can be reviewed at the WordPress Plugin Repository.
Workarounds
- Disable or remove the Writeprint Stylometry plugin from WordPress installations until a patch is available
- Restrict access to the WordPress admin area to trusted IP addresses only
- Implement strict Content Security Policy headers that prevent inline script execution
- Deploy a Web Application Firewall with XSS protection rules enabled
# Example Apache .htaccess configuration to block suspicious p parameter values
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (^|&)p=.*(<|>|%3C|%3E|javascript:|onerror|onload) [NC]
RewriteRule ^.*$ - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
