CVE-2026-39451

Vulnerability

The WP Google Review Slider plugin for WordPress versions up to and including 18.0 contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw allows an attacker to inject arbitrary HTML and JavaScript code without requiring authentication. The vulnerability is present in the plugin's handling of user-supplied data, which is not properly sanitized before being stored and later displayed on the site. [1]

Exploitation

An unauthenticated attacker can exploit this vulnerability by submitting crafted input to a vulnerable endpoint. While the vulnerability can be initiated without authentication, successful exploitation requires a privileged user (such as an administrator) to perform an action, such as clicking a malicious link, visiting a crafted page, or submitting a form. This user interaction is necessary to trigger the stored payload. [1]

Impact

Successful exploitation allows an attacker to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website. These scripts execute when guests visit the affected site, potentially leading to information disclosure, session hijacking, or defacement. The impact is limited by the need for user interaction, but the vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns. [1]

Mitigation

The vulnerability is fixed in version 18.1 of the WP Google Review Slider plugin. Users are advised to update to version 18.1 or later immediately. For Patchstack users, auto-update for vulnerable plugins can be enabled. No virtual patch is available due to the specific nature of the vulnerability. [1]