Skip to main content

HollerBox CVE-2026-48885

| EUVDEUVD-2026-36859 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-j36x-g5wc-m7vg
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable unauthenticated XSS requiring victim interaction; scope changes to browser/site context with low confidentiality, integrity, and availability impact via injected script.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:44 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in HollerBox <= 2.3.10.1 versions.

AnalysisAI

Unauthenticated reflected/stored cross-site scripting in the HollerBox WordPress plugin (versions 2.3.10.1 and earlier) allows remote attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 due to the scope change (S:C) reflecting the WordPress site context being affected from injected content; no public exploit identified at time of analysis and no CISA KEV listing exists.

Technical ContextAI

HollerBox (also known as Holler Box) is a WordPress plugin by Groundhogg used to display popups, notification bars, and lead-capture widgets on WordPress sites; the affected CPE is cpe:2.3:a:groundhogg:hollerbox:*. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied data is rendered into HTML/JS contexts without proper output encoding or input sanitization, allowing script injection. Because the CVSS vector includes S:C (scope changed), the executed script runs in the trust context of the WordPress site, enabling cross-origin impact such as session theft or admin-session abuse if an authenticated administrator triggers the payload.

RemediationAI

Upgrade the HollerBox plugin to a version newer than 2.3.10.1 once the vendor publishes a fixed release; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/holler-box/vulnerability/wordpress-hollerbox-plugin-2-3-10-1-cross-site-scripting-xss-vulnerability should be consulted for the exact fixed version, as no specific patched version was supplied in this intelligence. As compensating controls until patched, deploy a WordPress WAF rule (e.g., Patchstack, Wordfence) that filters script tags and JavaScript event handlers on HollerBox endpoints, deactivate the HollerBox plugin if it is not in active use (eliminates the attack surface entirely but removes popup/notification functionality), and enforce a strict Content-Security-Policy header that disallows inline scripts (may break legitimate inline JS in themes/plugins and requires testing). Administrators should also avoid clicking unknown links to their own site while authenticated, since admin-session interaction is what makes XSS dangerous.

Share

CVE-2026-48885 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy