Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jgwhite33 WP TripAdvisor Review Slider wp-tripadvisor-review-slider allows Stored XSS.This issue affects WP TripAdvisor Review Slider: from n/a through <= 14.1.
AnalysisAI
A Stored Cross-Site Scripting (XSS) vulnerability exists in the WP TripAdvisor Review Slider WordPress plugin through version 14.1, allowing attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability affects all versions up to and including 14.1, and an attacker with sufficient privileges to inject content can compromise user sessions, steal credentials, or perform arbitrary actions on behalf of site administrators. No CVSS score or EPSS data is currently available, and active exploitation status via KEV is unknown, but Patchstack has documented this as a confirmed vulnerability with a reference implementation.
Technical ContextAI
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which describes the failure to properly sanitize or escape user-supplied input before rendering it in HTML context. The affected product is the jgwhite33 WP TripAdvisor Review Slider plugin (CPE: cpe:2.3:a:jgwhite33:wp_tripadvisor_review_slider:*:*:*:*:*:*:*:*), a WordPress plugin designed to display TripAdvisor reviews on websites. The plugin likely fails to sanitize review data, custom fields, or plugin settings before storing them in the WordPress database or rendering them in front-end templates. Because the XSS is classified as Stored (rather than Reflected), the malicious payload persists in the database, making it a higher-severity attack vector that affects all subsequent visitors to the compromised page.
RemediationAI
Immediately upgrade the WP TripAdvisor Review Slider plugin to a patched version beyond 14.1 (consult the vendor or Patchstack for the exact patched version number). Visit the official plugin repository or the vendor's website for patch availability. If no patch is immediately available, consider disabling the plugin until a fix is released, as Stored XSS in a public-facing plugin poses significant risk. As a temporary mitigation, restrict write access to plugin settings and review input fields to trusted administrator roles only, and consider using a Web Application Firewall (WAF) rule to detect and block script injection patterns in review submissions. Monitor the Patchstack database and official WordPress plugin repository for security updates.
More in Wp Tripadvisor Review Slider
View allThe WP TripAdvisor Review Slider WordPress plugin before 10.8 does not properly sanitise and escape a parameter before u
The WP TripAdvisor Review Slider WordPress plugin before 11.9 does not sanitise and escape some of its settings, which c
SQL Injection in the WP TripAdvisor Review Slider WordPress plugin (all versions through 14.6) allows authenticated atta
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15832
GHSA-77pg-69m3-j9m7