Skip to main content

Wp Review Slider CVE-2026-32491

| EUVDEUVD-2026-15833 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-wg43-4pm5-2pqv
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15833
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jgwhite33 WP Review Slider wp-facebook-reviews allows Stored XSS.This issue affects WP Review Slider: from n/a through <= 13.9.

AnalysisAI

A Stored Cross-Site Scripting (XSS) vulnerability exists in the WP Review Slider plugin (also known as wp-facebook-reviews) versions 13.9 and earlier, allowing attackers to inject malicious scripts that persist in the application and execute in users' browsers. This vulnerability affects WordPress site administrators and users who interact with review content. An attacker can exploit this to steal session tokens, deface content, redirect users to malicious sites, or perform actions on behalf of compromised users.

Technical ContextAI

The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation, which indicates inadequate input sanitization or output encoding in the review slider functionality. The WP Review Slider plugin (CPE: cpe:2.3:a:jgwhite33:wp_review_slider:*:*:*:*:*:*:*:*) is a WordPress plugin designed to display reviews, likely sourced from Facebook or similar platforms. The Stored XSS variant means malicious input is saved to the database and executed whenever the affected page is rendered, making it a persistent threat affecting all site visitors rather than just a single user session. The root cause stems from the plugin failing to properly escape or sanitize user-supplied data before storing it in the database or rendering it in HTML context.

RemediationAI

Immediately upgrade the WP Review Slider plugin to the latest patched version beyond 13.9 by navigating to Dashboard > Plugins > Updates in WordPress and clicking Update, or download the patched version directly from the WordPress plugin repository. Consult the Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/wp-facebook-reviews/vulnerability/wordpress-wp-review-slider-plugin-13-9-cross-site-scripting-xss-vulnerability for confirmation of patch availability and version details. If patching is temporarily delayed, implement Web Application Firewall (WAF) rules to filter common XSS payloads in review submission endpoints, disable the vulnerable plugin until patched, or restrict access to the review slider functionality. Additionally, audit existing reviews in the database for indicators of compromise (unusual JavaScript tags, suspicious event handlers) and remove malicious entries if discovered.

Share

CVE-2026-32491 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy