CVE-2026-24558

The ABG Rich Pins plugin for WordPress, versions up to and including 1.1, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. The plugin fails to sanitize or escape certain fields before storing them, allowing malicious script content to be persisted on the server.

Exploitation requires an authenticated user with at least contributor-level privileges to inject the payload via the plugin's input. The attack does not require any special network position; the attacker simply submits crafted data through the plugin's normal input mechanisms. Once stored, the malicious script executes in the browsers of other users (including administrators) when they view the affected page, without requiring any additional user interaction beyond normal browsing.

An attacker can leverage this vulnerability to inject arbitrary HTML and JavaScript, leading to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. The CVSS v3 base score of 6.5 (Medium) reflects the need for authenticated access but the potential for significant impact on confidentiality, integrity, and availability.

As of the advisory publication date (2026-01-23), no patch has been released for the affected plugin. Users are strongly advised to update the plugin update if a patched version becomes available, or to disable the plugin and seek alternative solutions. The vulnerability is known to be used in mass-exploit campaigns, making immediate mitigation critical [1].