CVE-2026-42643
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP Image Widget image-widget allows Stored XSS.This issue affects Image Widget: from n/a through <= 4.4.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in WordPress Image Widget plugin (<=4.4.11) allows authenticated attackers to inject malicious scripts.
The Image Widget plugin for WordPress, developed by StellarWP, suffers from a stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation. This affects versions from n/a through 4.4.11 [1].
An attacker with the required privileges can inject malicious scripts into the image widget, which are then stored and executed when other users visit the affected page. Successful exploitation requires a privileged user to perform an action, such as clicking a crafted link, to trigger the script injection [1].
The impact allows a malicious actor to inject arbitrary scripts, including redirects, advertisements, and other HTML payloads, potentially compromising the security of the website and its visitors [1].
To mitigate this vulnerability, users should update the plugin to version 4.4.12 or later. Patchstack users can enable auto-updates for vulnerable plugins to ensure protection [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=4.4.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.