Attack Vectors

Product: Enfold (WordPress theme) Slug: enfold-2

Vulnerability: CVE-2026-3952 (Medium severity; CVSS 6.4, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) affects Enfold versions up to and including 7.1.4.

This is an authenticated stored cross-site scripting (XSS) issue. An attacker needs Contributor-level access or higher to inject malicious script into content using the av_codeblock shortcode. Once injected, the script can execute when any visitor (including staff) loads the affected page—meaning the impact can extend beyond the original account used to plant the content.

From a business-risk perspective, the most likely real-world entry point is a compromised low-privilege user (e.g., a contractor, intern, or a staff account with reused passwords), or an overly broad role assignment where more people than necessary have Contributor access.

Security Weakness

Enfold is vulnerable due to insufficient input sanitization and output escaping for user-controlled shortcode attributes, specifically wrapper_element and wrapper_element_attributes in the av_codeblock shortcode.

Because this is a stored XSS, the malicious payload can persist in a page or post and trigger repeatedly for every view, turning a single successful injection into an ongoing risk until the content is removed or the theme is replaced.

Remediation status: There is no known patch available at this time. The vulnerability details and source reference are available via Wordfence: Wordfence advisory. The CVE record is here: CVE-2026-3952.

Technical or Business Impacts

Brand and customer trust risk: Injected scripts can alter what users see on key pages (homepages, landing pages, campaign pages), potentially defacing content, redirecting traffic, or inserting fraudulent calls-to-action. This can directly impact campaign performance and brand credibility.

Data and account risk: Stored XSS can be used to target logged-in users (including admins) who view an infected page. In practical terms, this may enable follow-on actions like unauthorized changes to site content, creation of rogue accounts, or other misuse depending on what the attacker can execute in a victim’s browser context.

Compliance and governance risk: If the site supports lead generation, customer portals, or any regulated workflow, a persistent client-side injection raises concerns around unauthorized content manipulation, auditability, and potential exposure of sensitive business information. Even when direct data theft is limited, the incident response effort (content review, access review, and stakeholder communications) can be costly.

Operational impact: With no patch available, leadership may need to weigh compensating controls versus replacing the theme. Common mitigations include: tightening role assignments (minimize Contributor+ users), increasing review/approval controls for published content, monitoring for unexpected shortcode usage, and considering removal/replacement of the affected theme based on risk tolerance.

Similar Attacks

Stored XSS has a long history of being used to spread malicious content and compromise accounts at scale. A few well-documented examples include:

The “Samy” MySpace worm (2005) — a classic stored XSS incident that rapidly propagated across user profiles.

The Twitter onMouseOver worm (2010) — demonstrated how script injection can spread quickly through social sharing and user interaction patterns.