CVE-2026-32490

Vulnerability

Overview The WP TripAdvisor Review Slider plugin for WordPress (versions up to and including 14.1) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This makes it possible for attackers with sufficient privileges to inject arbitrary HTML and JavaScript code that will be executed when other users visit affected pages.

Exploitation

Conditions To exploit this vulnerability, an attacker must have a role with the required privileges (e.g., Editor or higher) and the ability to submit or modify reviews. The attack requires user interaction, as a privileged user must perform an action such as clicking a link or submitting a form that triggers the injected script [1]. The stored XSS payload persists in the database, affecting all future visitors to the compromised page.

Impact

Successful exploitation allows an attacker to inject malicious scripts, which can be used to redirect visitors, display advertisements, steal session cookies, or perform other actions in the context of the victim's browser. This could lead to privilege escalation, data theft, or defacement of the WordPress site.

Mitigation

The vulnerability has been patched in version 14.2 of the plugin. Users are strongly advised to update immediately. Patchstack also provides a mitigation rule to block attacks until the update can be applied [1].