Attack Vectors

Product: Scoreboard for HTML5 Games Lite (WordPress plugin). Severity: Medium (CVSS 6.4; CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N). CVE: CVE-2026-4083.

This issue is an authenticated Stored Cross-Site Scripting (XSS) vulnerability that requires an attacker to have at least Contributor-level access (or any role permitted to add content that includes the affected shortcode). The attacker can place a crafted [scoreboard] shortcode into a post or page so that the malicious payload is stored in the WordPress database and later executed when others view the content.

Because the CVSS vector indicates no user interaction is required (UI:N), the practical risk is that the script may execute automatically when the vulnerable content is rendered, depending on how the injected attributes behave in the visitor’s browser.

Security Weakness

In Scoreboard for HTML5 Games Lite versions up to and including 1.2, the sfhg_shortcode() handler for the scoreboard shortcode allows arbitrary HTML attributes to be added to the rendered <iframe>. Only a small blacklist of four attribute names is blocked (same_height_as, onload, onpageshow, onclick).

Although attribute names are passed through esc_html() and values through esc_attr(), this does not stop attackers from supplying other JavaScript event handler attributes (for example, onfocus, onmouseover, and similar) that can still lead to script execution in the browser. The net result is a stored XSS condition that can be triggered whenever the affected content is displayed.

Technical or Business Impacts

Stored XSS can translate into immediate business risk for marketing and customer-facing sites: injected scripts can modify page content, redirect visitors, capture form inputs, or interfere with analytics and conversion tracking. With this CVE’s scope change (S:C), the impact can extend beyond the immediate page context, raising the stakes for brand trust and campaign performance.

For leadership and compliance teams, the most common outcomes include: reputational damage from visible defacement or unwanted pop-ups, potential exposure of user data entered on affected pages, increased support load, and incident response costs (including investigative time and possible notification obligations depending on what data is collected on those pages).

Remediation: Update Scoreboard for HTML5 Games Lite to version 1.3 or newer (patched). As a risk-reduction measure, review who can publish or edit content containing shortcodes and audit existing posts/pages for unexpected [scoreboard] shortcode attributes.

Similar attacks (real-world examples): Stored XSS is a recurring issue across platforms and plugins. For reference, see CVE-2019-9978 (Social Warfare plugin), CVE-2017-5487 (WordPress core Stored XSS), and CVE-2020-25213 (stored XSS in a WordPress plugin context).