CVE-2026-32403

The Toocheke Companion plugin for WordPress versions up to and including 1.194 contains a DOM-based Cross-Site Scripting (XSS) vulnerability [1]. This arises from improper neutralization of input during web page generation, allowing attacker-controlled data to be executed as JavaScript in the browser of a victim visiting a crafted page [CVE description].

Exploitation requires a privileged user (such as an administrator or editor) to perform an action like clicking a malicious link, submitting a crafted form, or visiting a specially prepared page [1]. The attacker does not need direct network access to the vulnerable site but must socially engineer a user with appropriate privileges into triggering the payload.

Successful exploitation enables an attacker to inject arbitrary HTML and JavaScript into the context of the victim's session [1]. This could be used to redirect visitors, inject advertisements, or perform other client-side attacks that appear to originate from the trusted WordPress site, potentially affecting any guest who views the compromised page.

The vendor has released version 1.195 which addresses the vulnerability [1]. Users are strongly advised to update their plugin to this version immediately, or enable automatic updates for vulnerable plugins if using a Patchstack subscription [1].