CVE-2026-24573

Vulnerability

The Visualizer plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This affects all versions before 4.0.0. An attacker with the ability to input data (e.g., a contributor-level user) can inject arbitrary JavaScript or HTML that is stored and later executed in the browsers of other users, including administrators, when they view the affected page [1].

Exploitation

Exploitation requires an authenticated user with at least the role that can access the vulnerable input fields (the exact privilege level is not publicly specified but is typically a contributor or author). The attacker submits crafted input containing malicious script. No additional user interaction is needed for the initial injection, but the stored payload executes automatically when any user (including site visitors) loads the page containing the injected content. The reference notes that successful exploitation may require a privileged user to perform an action such as clicking a link or visiting a crafted page, though the stored nature of the XSS means the payload fires on page load [1].

Impact

A successful attack allows the attacker to execute arbitrary scripts in the context of the victim's browser. This can lead to session hijacking, redirection to malicious sites, defacement, or theft of sensitive information such as cookies and authentication tokens. The impact is limited to the browser session of the victim, but because the script is stored, it can affect all users who view the compromised page, including site administrators [1].

Mitigation

The vulnerability is fixed in version 4.0.0 of the Visualizer plugin. Users should update to this version or later immediately. Patchstack users can enable auto-updates for vulnerable plugins. No other workarounds are documented in the available reference [1].