Skip to main content

Google CVE-2026-39674

| EUVDEUVD-2026-20353 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 Patchstack GHSA-89qm-qc7r-hmwp
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20353
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Manoj Kumar MK Google Directions google-distance-calculator allows DOM-Based XSS.This issue affects MK Google Directions: from n/a through <= 3.1.1.

AnalysisAI

DOM-based cross-site scripting in MK Google Directions WordPress plugin versions up to 3.1.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper sanitization of user-supplied input during web page generation, enabling attackers to steal session cookies, perform actions on behalf of authenticated users, or deface plugin interface elements. With an EPSS score of 0.03% (8th percentile), real-world exploitation probability is minimal despite the medium CVSS score of 6.5.

Technical ContextAI

MK Google Directions is a WordPress plugin that integrates Google Maps distance calculation functionality into WordPress sites. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating the plugin fails to properly encode or filter user input before rendering it in the DOM. DOM-based XSS differs from stored or reflected XSS in that the malicious payload is processed entirely on the client side through unsafe JavaScript operations (such as innerHTML, eval, or document.write) rather than being sent from the server. The affected product is identified by CPE string cpe:2.3:a:manoj_kumar:mk_google_directions, indicating the vulnerability affects the plugin published by Manoj Kumar across all configurations and platforms.

RemediationAI

Users of MK Google Directions should upgrade to a patched version released by the plugin vendor following this advisory. The exact patched version number is not specified in available advisory data; administrators should check the WordPress plugin repository or contact the plugin maintainer for the latest available version beyond 3.1.1. Until patching is possible, site administrators can mitigate risk by restricting plugin access to trusted administrators only, implementing a Web Application Firewall (WAF) rule to sanitize input to the affected plugin endpoints, or disabling the plugin if it is not actively required. The primary advisory for this vulnerability is available at https://patchstack.com/database/Wordpress/Plugin/google-distance-calculator/vulnerability/wordpress-mk-google-directions-plugin-3-1-1-cross-site-scripting-xss-vulnerability and at https://nvd.nist.gov/vuln/detail/CVE-2026-39674.

Share

CVE-2026-39674 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy