Skip to main content

WP Google Review Slider CVE-2026-39451

| EUVD-2026-36930 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-3xm9-v8wr-3w5j
Google XSS Wp Google Review Slider
6.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Availability impact is None - reflected XSS inherently affects confidentiality and integrity (session theft, DOM manipulation) but does not disrupt service availability.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 23:15 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in WP Google Review Slider <= 18.0 versions.

AnalysisAI

Unauthenticated cross-site scripting in the WP Google Review Slider WordPress plugin (versions up to and including 18.0) allows a remote, unauthenticated attacker to inject arbitrary JavaScript that executes in the browser of any user who interacts with the affected page. Reported by Patchstack and tracked as EUVD-2026-36930, the vulnerability stems from improper input sanitization in a publicly accessible plugin component. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running vulnerable plugin
Delivery
Craft URL with XSS payload in vulnerable parameter
Exploit
Deliver crafted URL to victim via phishing or social engineering
Execution
Victim loads page in browser
Persist
Injected script executes in victim browser context
Impact
Steal session cookie or perform authenticated actions as victim
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The WP Google Review Slider plugin must be installed and active on a WordPress site running version 18.0 or below. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 6.3 (Medium) reflects a balanced risk profile: network-accessible (AV:N), low complexity (AC:L), and no authentication required (PR:N), but limited by the requirement for user interaction (UI:R) and unchanged scope (S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a WordPress site running WP Google Review Slider 18.0 or earlier and crafts a URL containing a malicious JavaScript payload injected into a vulnerable parameter handled by the plugin. The attacker distributes this URL via phishing email, forum post, or social engineering targeting site visitors or administrators. …
Remediation Update the WP Google Review Slider plugin to a version above 18.0 via the WordPress plugin dashboard or by downloading directly from the WordPress plugin repository. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39451 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy