Favicon by RealFaviconGenerator <= 1.3.20 - Reflected Cross-Site Scripting (XSS)
Description
The Favicon by RealFaviconGenerator WordPress plugin through 1.3.20 does not sanitise or escape one of its parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting (XSS) which is executed in the context of a logged administrator.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Favicon by RealFaviconGenerator WordPress plugin through 1.3.20 allows admin-level XSS via unsanitized parameter.
Vulnerability
The Favicon by RealFaviconGenerator WordPress plugin through version 1.3.20 fails to sanitize or escape one of its parameters before outputting it back in the response, leading to a reflected Cross-Site Scripting (XSS) vulnerability [1]. The vulnerable parameter is reflected without proper encoding, making the attack possible when a logged-in administrator visits a crafted URL.
Exploitation
An attacker can craft a malicious URL containing a JavaScript payload in the vulnerable parameter. The victim must be a logged-in administrator who clicks the link. No authentication is required for the attacker, but the victim must have an active admin session. The payload executes in the context of the administrator's browser session.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the administrator's browser. This can lead to session hijacking, theft of sensitive data, or performing administrative actions on behalf of the victim, potentially compromising the entire WordPress site.
Mitigation
The vulnerability is fixed in version 1.3.22, released on August 9, 2021 [1]. Users should update to this version immediately. No workarounds are documented; updating is the only recommended mitigation.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.3.20+ 1 more
- (no CPE)range: <=1.3.20
- (no CPE)range: <=1.3.20
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization and output escaping of a plugin parameter allows reflected Cross-Site Scripting (XSS)."
Attack vector
An attacker crafts a URL containing a malicious payload in a plugin parameter that is not sanitized or escaped before being reflected in the response [ref_id=1]. When a logged-in administrator visits this crafted URL, the payload executes as reflected Cross-Site Scripting (XSS) in the administrator's browser session [ref_id=1]. The attack requires no authentication on the attacker's part and is delivered via a link that the administrator must click.
Affected code
The advisory does not specify the exact function or file path. The vulnerability exists in the Favicon by RealFaviconGenerator WordPress plugin through version 1.3.20 [ref_id=1].
What the fix does
The advisory states that version 1.3.22 fixes the issue, but no patch diff is provided in the bundle [ref_id=1]. The fix would involve properly sanitizing and escaping the unsanitized parameter before outputting it back in the response, preventing arbitrary HTML or JavaScript from being injected [ref_id=1].
Preconditions
- configThe target site must be running the Favicon by RealFaviconGenerator plugin through version 1.3.20
- inputA logged-in administrator must visit a crafted URL containing the malicious payload
- authNo authentication is required for the attacker
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/ed9d26be-cc96-4274-a05b-0b7ad9d8cfd9mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.