CVE-2026-28072

Vulnerability

Overview The pixfort Core WordPress plugin (versions through 3.2.22) suffers from a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. The flaw lies in the plugin's failure to sanitize or escape parameters before rendering them in HTTP responses, enabling the injection of arbitrary HTML and JavaScript.

Exploitation

Requirements Exploitation requires a user with certain privileges (e.g., author or higher) to interact with a crafted link or submit a malicious form [1]. The attacker does not need authentication to deliver the payload, but the victim must perform an action such as clicking a URL or visiting a specially prepared page. The reflected nature means the payload is immediately executed in the victim's browser session.

Impact

Assessment Successful exploitation allows an attacker to inject malicious scripts, resulting in actions like redirecting visitors to attacker-controlled sites, displaying unauthorized advertisements, or delivering other HTML payloads [1]. Given the moderate CVSS score of 7.1 and the likelihood of inclusion in mass-exploit campaigns, this vulnerability poses a tangible risk to WordPress sites running the affected plugin.

Mitigation

Status A patched version, 3.2.26, has been released to resolve the issue [1]. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a virtual mitigation rule that blocks exploitation attempts until the plugin is updated [1].