CVE-2026-48885
Description
Unauthenticated XSS vulnerability in HollerBox plugin <=2.3.10.1 allows attackers to inject malicious scripts into WordPress sites.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated XSS vulnerability in HollerBox plugin <=2.3.10.1 allows attackers to inject malicious scripts into WordPress sites.
Vulnerability
HollerBox versions up to and including 2.3.10.1 contain an unauthenticated Cross-Site Scripting (XSS) vulnerability. The issue arises due to improper neutralization of user input during web page generation. The vulnerability does not require authentication but requires user interaction to be exploited.
Exploitation
An attacker can inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website. Successful exploitation requires a privileged user (e.g., admin) to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form [1].
Impact
If exploited, the injected scripts execute when guests visit the site. This can lead to information disclosure, redirects to malicious sites, or other harmful actions. The CVSS v3 score is 7.1 (High) [1].
Mitigation
Users should update to version 2.3.11 or later, which resolves the vulnerability. Patchstack has issued a mitigation rule to block attacks until the update is applied [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (June 1, 2026 to June 7, 2026)Wordfence Blog · Jun 11, 2026