Attack Vectors

Writeprint Stylometry (slug: writeprint-stylometry) versions 0.1 and earlier are affected by a Medium-severity reflected cross-site scripting (XSS) issue tracked as CVE-2026-3512 (CVSS 6.1, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

The attack is delivered through a crafted URL that manipulates the GET parameter p. Because this is a reflected XSS, the injected script runs only when a target user is convinced to open the malicious link (for example, via email, chat, a comment, a ticketing system, or an internal message).

According to the disclosed details, exploitation is feasible for authenticated attackers with Contributor-level permissions or higher who can successfully trick another user into clicking/visiting the crafted URL. This makes the risk especially relevant for sites with multiple authors, agencies, contractors, or community contributors.

Security Weakness

The vulnerability is caused by insufficient input sanitization and output escaping in the plugin’s bjl_wprintstylo_comments_nav() function. The function directly outputs $_GET['p'] into an HTML href attribute without escaping, enabling script injection in the browser.

There is no known patch available at the time of the advisory. From a risk-management standpoint, that shifts the conversation from “when can we update?” to “how long are we willing to accept exposure?” Many organizations choose to uninstall and replace affected software when no fix is available, especially on customer-facing or revenue-generating properties.

Technical or Business Impacts

Reflected XSS can be used to run attacker-controlled scripts in the context of your site, potentially enabling actions such as: tricking staff into disclosing credentials, manipulating what an administrator sees in the dashboard, or performing unauthorized actions in a logged-in user’s session (depending on that user’s privileges and what protections are in place).

For marketing and executive stakeholders, the practical business risks include brand damage (malicious redirects or defacements seen by prospects), loss of trust (campaign landing pages or content hubs used for phishing), and compliance exposure if user data is accessed or if security controls are deemed inadequate. The CVSS vector indicates user interaction is required (UI:R), which reduces opportunistic drive-by exploitation, but it still aligns well with realistic social engineering attacks targeting internal teams.

Operationally, because a patch is not available, you may need to consider mitigations such as removing the plugin, limiting Contributor access, reviewing where contributor accounts are used, and increasing monitoring for suspicious links and unusual admin actions. The best option depends on your risk tolerance and how essential Writeprint Stylometry is to business operations.

Similar Attacks

While this issue is specific to Writeprint Stylometry, XSS has a long history of being used to hijack sessions, spread malicious links, and damage brands. Well-known real-world examples include:

MySpace “Samy” worm (2005)
Twitter onMouseOver XSS worm (2010)