Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jgwhite33 WP Review Slider wp-facebook-reviews allows Stored XSS.This issue affects WP Review Slider: from n/a through <= 13.9.
AnalysisAI
A Stored Cross-Site Scripting (XSS) vulnerability exists in the WP Review Slider plugin (also known as wp-facebook-reviews) versions 13.9 and earlier, allowing attackers to inject malicious scripts that persist in the application and execute in users' browsers. This vulnerability affects WordPress site administrators and users who interact with review content. An attacker can exploit this to steal session tokens, deface content, redirect users to malicious sites, or perform actions on behalf of compromised users.
Technical ContextAI
The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation, which indicates inadequate input sanitization or output encoding in the review slider functionality. The WP Review Slider plugin (CPE: cpe:2.3:a:jgwhite33:wp_review_slider:*:*:*:*:*:*:*:*) is a WordPress plugin designed to display reviews, likely sourced from Facebook or similar platforms. The Stored XSS variant means malicious input is saved to the database and executed whenever the affected page is rendered, making it a persistent threat affecting all site visitors rather than just a single user session. The root cause stems from the plugin failing to properly escape or sanitize user-supplied data before storing it in the database or rendering it in HTML context.
RemediationAI
Immediately upgrade the WP Review Slider plugin to the latest patched version beyond 13.9 by navigating to Dashboard > Plugins > Updates in WordPress and clicking Update, or download the patched version directly from the WordPress plugin repository. Consult the Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/wp-facebook-reviews/vulnerability/wordpress-wp-review-slider-plugin-13-9-cross-site-scripting-xss-vulnerability for confirmation of patch availability and version details. If patching is temporarily delayed, implement Web Application Firewall (WAF) rules to filter common XSS payloads in review submission endpoints, disable the vulnerable plugin until patched, or restrict access to the review slider functionality. Additionally, audit existing reviews in the database for indicators of compromise (unusual JavaScript tags, suspicious event handlers) and remove malicious entries if discovered.
More in Wp Review Slider
View allThe WP Review Slider WordPress plugin before 12.2 does not properly sanitise and escape a parameter before using it in a
The WP Review Slider WordPress plugin before 11.0 does not sanitise and escape the pid parameter when copying a Twitter
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LJ Apps WP Review
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15833
GHSA-wg43-4pm5-2pqv