EUVD-2026-31409
GHSA-jf98-h9cw-4365
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
AnalysisAI
Reflected Cross-Site Scripting in the CBX 5 Star Rating & Review WordPress plugin (versions up to and including 1.0.7) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'page' parameter rendered in administrative log templates. Successful exploitation requires social engineering an authenticated administrator into clicking a crafted URL, limiting automated mass exploitation while remaining a realistic threat in targeted phishing campaigns against WordPress site owners. …
Sign in for full analysis, threat intelligence, and remediation guidance.
More from same product – last 7 days
Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers t
Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic
Unauthenticated privilege escalation in the Advanced Custom Fields: Extended (ACFE) WordPress plugin through version 0.9
Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl
Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and
Share
External POC / Exploit Code
Leaving vuln.today