CVE-2025-39487
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ValvePress Rankie valvepress-rankie allows Reflected XSS.This issue affects Rankie: from n/a through <= 1.8.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Rankie plugin (≤1.8.2) allows attackers to inject malicious scripts via crafted requests, requiring user interaction.
The vulnerability is a reflected Cross-Site Scripting (XSS) in the Rankie plugin for WordPress, versions up to and including 1.8.2. The plugin fails to properly neutralize user-supplied input before including it in web pages, allowing an attacker to inject arbitrary HTML and JavaScript code [1].
Exploitation requires a privileged user, such as an administrator, to click a malicious link or visit a crafted page. The attacker does not need authentication but relies on social engineering to trick the victim into performing the action [1].
Successful exploitation enables the attacker to execute scripts in the context of the victim's browser. This can lead to redirecting visitors, displaying advertisements, stealing session cookies, or performing actions on behalf of the victim, potentially compromising the entire WordPress site [1].
The vulnerability is fixed in version 1.8.3. Users are strongly advised to update immediately. Patchstack also provides a mitigation rule to block attacks until the update is applied [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.8.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.