CVE-2026-28126

The CVE-2026-28126 vulnerability is a reflected Cross-Site Scripting (XSS) issue in the RH Frontend Publishing Pro plugin for WordPress. The plugin fails to properly neutralize user input during web page generation, allowing attackers to inject arbitrary JavaScript code. This affects all versions from n/a up to but not including 4.3.4 [1].

Exploitation requires user interaction: an attacker must trick a privileged user (e.g., an administrator) into clicking a malicious link or visiting a specially crafted page. This can be achieved through phishing emails or other social engineering techniques. Once the user interacts, the injected script executes in their browser session within the context of the WordPress admin panel [1].

Successful exploitation enables the attacker to perform actions such as redirecting the victim to malicious sites, displaying advertisements, or stealing sensitive information like session cookies. The CVSS v3.1 score of 7.1 (High) reflects the moderate complexity and potential for mass exploitation campaigns [1].

As a mitigation, users should update the plugin to version 4.3.4 or later. Those unable to update immediately can apply a virtual patch via Patchstack, which blocks exploitation attempts until the update is applied. The vulnerability is flagged as likely to be exploited in automated attacks targeting thousands of websites [1].