Skip to main content

Favicon Rotator CVE-2026-42649

| EUVDEUVD-2026-36817 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-px3j-8gx4-6v7c
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network-reachable XSS requires victim click (UI:R); script executes in WordPress session scope (S:C) with limited C/I/A impact on the host site.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:02 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Favicon Rotator <= 1.2.11 versions.

AnalysisAI

Reflected/stored cross-site scripting in the Favicon Rotator WordPress plugin (versions 1.2.11 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The CVSS scope-changed vector (S:C) indicates the injected script can impact resources beyond the vulnerable plugin component, typically the entire WordPress site context. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, but the unauthenticated nature combined with WordPress's broad install base elevates real-world concern.

Technical ContextAI

Favicon Rotator is a WordPress plugin by the developer 'archetyped' (CPE cpe:2.3:a:archetyped:favicon_rotator) that allows site owners to display rotating favicons. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input is reflected into HTML or attribute context without proper output encoding or input sanitization. Because the CVSS vector specifies PR:N, the vulnerable code path is reachable without authentication, suggesting the injection sink is in a publicly accessible plugin endpoint, shortcode, or admin-facing page that processes untrusted request parameters. The S:C (scope changed) designation is typical for stored/reflected XSS in WordPress, where script execution in an authenticated administrator's session can pivot to compromise the entire CMS.

RemediationAI

No vendor-released patch identified at time of analysis; the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/favicon-rotator/vulnerability/wordpress-favicon-rotator-plugin-1-2-11-cross-site-scripting-xss-vulnerability) lists 1.2.11 as the latest vulnerable version with no fixed release noted. The most reliable mitigation is to deactivate and uninstall the Favicon Rotator plugin and replace its functionality with a maintained alternative or a manually configured favicon, since the plugin appears unmaintained. As compensating controls, deploy a WordPress-aware WAF rule (e.g., Patchstack, Wordfence virtual patching) to filter requests to the plugin's endpoints, enforce a strict Content-Security-Policy that disallows inline script execution to neutralize reflected payloads (trade-off: may break legitimate inline scripts in themes/plugins), and restrict wp-admin access via IP allowlist to reduce the chance that an authenticated administrator triggers the vulnerable URL.

Share

CVE-2026-42649 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy