WordPress HollerBox Plugin <= 2.3.2 is vulnerable to Cross Site Scripting (XSS)
Description
HollerBox plugin >=2.3.2 contains a stored XSS vulnerability exploitable by authenticated administrators.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HollerBox plugin >=2.3.2 contains a stored XSS vulnerability exploitable by authenticated administrators.
Vulnerability
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability exists in the HollerBox plugin for WordPress, versions <= 2.3.2 [1]. The issue allows an administrator-level user to inject arbitrary JavaScript that persists in the plugin's settings or popup configuration.
Exploitation
An attacker must have administrator-level access to the WordPress site. The attacker injects malicious script into a plugin field that is not properly sanitized. When another admin or user views the affected page (e.g., the popup editor or settings), the script executes [1].
Impact
Successful exploitation results in arbitrary JavaScript execution in the context of the admin's session. This can lead to privilege escalation, session hijacking, defacement, or theft of sensitive data.
Mitigation
The vendor has released version 2.3.11 which fixes the vulnerability [1]. Users should update to the latest version. No workaround is available for older versions.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Groundhogg Inc./HollerBoxv5Range: n/a
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.