CVE-2026-39674

The MK Google Directions plugin for WordPress (versions up to and including 3.1.1) contains a DOM-Based Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary JavaScript into the page's DOM [1].\.

Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link or visiting a crafted page. The attack does not require authentication from the victim beyond the initial privileged user action, but the injected script executes in the context of the victim's browser session.

A successful attack could allow a malicious actor to inject scripts that redirect visitors, display redirects, advertisements, or other HTML payloads. These scripts execute when any visitor loads the affected page, potentially leading to session hijacking, defacement, or phishing attacks.

The vulnerability is patched in versions after 3.1.1. Users are advised to update the plugin immediately. If updating is not possible, contacting the hosting provider or a web developer for assistance is recommended. This vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites.

## References - [1] Patchstack advisory