CVE-2026-24955

The Whizz Plugins WordPress plugin, version 1.9 and earlier, contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This issue exists in the whizz-plugins component and allows attackers to inject arbitrary HTML and JavaScript into affected web pages [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL containing a script payload. The attack requires user interaction, such as clicking on a crafted link or visiting a specially prepared page [1]. Since there are no authentication requirements, attackers can target any site visitor, including administrators and other high-privilege users [1].

Impact

Successful exploitation enables an attacker to execute arbitrary scripts in the victim's browser within the security context of the affected WordPress site [1]. This can be leveraged to redirect users to malicious sites, display unwanted advertisements, steal session cookies, or inject other HTML content [1]. The vulnerability is considered moderately dangerous and is expected to be targeted in mass-exploit campaigns due to its low complexity and no authentication requirement [1].

Mitigation

The vulnerability has been addressed in version 2.0.0 of the Whizz Plugins plugin [1]. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until a patched version is applied [1].