CVE-2026-42649

Vulnerability

The Favicon Rotator WordPress plugin version 1.2.11 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. The bug allows an unauthenticated attacker to inject arbitrary scripts into the plugin’s pages, which are then stored and executed when other users access the site. [1]

Exploitation

An attacker can exploit this vulnerability without prior authentication. However, successful exploitation requires a privileged user (such as an administrator) to perform an action, such as clicking a malicious link or visiting a crafted page. This could be achieved via social engineering or by embedding the crafted request in a comment or other user-generated content that the admin visits. [1]

Impact

If exploited, an attacker can inject malicious scripts (e.g., redirects, advertisements, or other HTML payloads) into the website. These scripts will execute when visitors browse the site, potentially leading to information disclosure, session hijacking, or defacement. The CVSS score is 7.1 (High). [1]

Mitigation

Update to version 1.2.12 or later, which resolves the vulnerability. Patchstack has also issued a mitigation rule to block attacks until the update is applied. No workaround other than updating has been mentioned. The vulnerability is considered moderately dangerous and expected to be exploited in mass campaigns. [1]