CVE-2026-32491

Vulnerability

Overview

The WP Review Slider plugin (wp-facebook-reviews) for WordPress is affected by a stored cross-site scripting (XSS) vulnerability, tracked as CVE-2026-32491. The issue arises from improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be stored and later executed in the context of other users' browsers. This vulnerability affects all versions up to and including 13.9 [1].

Exploitation

Details

Exploitation requires an authenticated user with the appropriate privileges (e.g., contributor or higher) to inject a crafted payload. Successful execution also depends on user interaction, such as clicking a malicious link or visiting a specially crafted page. The vulnerability is considered moderately dangerous and is expected to be targeted in mass-exploit campaigns, as attackers often use such flaws to compromise thousands of websites regardless of their size or popularity [1].

Impact

An attacker exploiting this vulnerability can inject arbitrary HTML and JavaScript into the affected site. This could lead to redirects, unwanted advertisements, data theft, or other malicious actions when visitors access the compromised pages. The stored XSS nature means the payload persists and affects all subsequent visitors, amplifying the potential damage [1].

Mitigation

The vendor has released version 14.0, which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the patch is applied. Additionally, enabling auto-updates for vulnerable plugins is recommended [1].