Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Manoj Kumar MK Google Directions google-distance-calculator allows DOM-Based XSS.This issue affects MK Google Directions: from n/a through <= 3.1.1.
AnalysisAI
DOM-based cross-site scripting in MK Google Directions WordPress plugin versions up to 3.1.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper sanitization of user-supplied input during web page generation, enabling attackers to steal session cookies, perform actions on behalf of authenticated users, or deface plugin interface elements. With an EPSS score of 0.03% (8th percentile), real-world exploitation probability is minimal despite the medium CVSS score of 6.5.
Technical ContextAI
MK Google Directions is a WordPress plugin that integrates Google Maps distance calculation functionality into WordPress sites. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating the plugin fails to properly encode or filter user input before rendering it in the DOM. DOM-based XSS differs from stored or reflected XSS in that the malicious payload is processed entirely on the client side through unsafe JavaScript operations (such as innerHTML, eval, or document.write) rather than being sent from the server. The affected product is identified by CPE string cpe:2.3:a:manoj_kumar:mk_google_directions, indicating the vulnerability affects the plugin published by Manoj Kumar across all configurations and platforms.
RemediationAI
Users of MK Google Directions should upgrade to a patched version released by the plugin vendor following this advisory. The exact patched version number is not specified in available advisory data; administrators should check the WordPress plugin repository or contact the plugin maintainer for the latest available version beyond 3.1.1. Until patching is possible, site administrators can mitigate risk by restricting plugin access to trusted administrators only, implementing a Web Application Firewall (WAF) rule to sanitize input to the affected plugin endpoints, or disabling the plugin if it is not actively required. The primary advisory for this vulnerability is available at https://patchstack.com/database/Wordpress/Plugin/google-distance-calculator/vulnerability/wordpress-mk-google-directions-plugin-3-1-1-cross-site-scripting-xss-vulnerability and at https://nvd.nist.gov/vuln/detail/CVE-2026-39674.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20353
GHSA-89qm-qc7r-hmwp