CVE-2026-24555

Vulnerability

Overview The ArtPlacer Widget plugin for WordPress versions up to and including 2.23.2 contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker with contributor-level privileges or higher to inject arbitrary HTML and JavaScript code that is stored on the server and executed in the browsers of visitors [1].

Exploitation

Conditions Exploitation requires a user with the 'Contributor' role or above to submit crafted input through the plugin's widget interface. No direct authentication bypass is needed, but the attacker must first gain a low-privileged account or rely on an existing privileged user to perform an action such as visiting a malicious link click or form submission [1]. The injected payload persists in the database and triggers when any user visits the affected page, making it a stored XSS scenario [1].

Impact

A successful attack allows the malicious actor to execute arbitrary scripts in the context of the victim's browser. This can be used to redirect visitors to phishing sites, display unauthorized advertisements, steal session cookies, or deface the website [1]. The vulnerability is considered medium severity (CVSS 6.5) and has been observed in mass-exploit campaigns targeting WordPress sites [1].

Mitigation

The vendor has released version 2.23.3 patches the issue by properly sanitizing output. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, consult a hosting provider or web developer for temporary workarounds [1].