Skip to main content

Google EUVDEUVD-2026-11850

| CVE-2026-32360 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-13 Patchstack
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11850
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 5.9

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in richplugins Rich Showcase for Google Reviews widget-google-reviews allows Stored XSS.This issue affects Rich Showcase for Google Reviews: from n/a through <= 6.9.4.3.

AnalysisAI

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Rich Showcase for Google Reviews widget (richplugins plugin) affecting versions through 6.9.4.3, where improper input neutralization during web page generation allows authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers. An attacker with administrative or plugin configuration access can store XSS payloads that will be executed for any user viewing the affected widget, potentially leading to session hijacking, credential theft, or defacement. While the CVSS score of 5.9 indicates moderate severity and requires user interaction and high privileges to exploit, the stored nature of this vulnerability means the payload persists and affects multiple users passively.

Technical ContextAI

The Rich Showcase for Google Reviews widget is a WordPress plugin (CPE identifier would be cpe:2.3:a:richplugins:rich_showcase_for_google_reviews) that displays Google review content on web pages. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-controlled or attacker-controlled input is embedded into dynamically generated HTML without proper sanitization or encoding. The plugin likely fails to escape or validate data at the point where review content, widget configuration, or custom text is rendered to the DOM. This is particularly dangerous in stored XSS scenarios because the malicious payload is persisted in the database (or configuration) and executed every time the widget is rendered, affecting all visitors rather than just a single session.

RemediationAI

Immediately upgrade the Rich Showcase for Google Reviews widget to version 6.9.4.4 or later; check the WordPress plugin repository or richplugins.com for the latest patched version and apply the update via the WordPress dashboard under Plugins → Updates. As an interim measure if an immediate patch is unavailable, disable the widget or restrict its visibility to authenticated users only via a Web Application Firewall (WAF) rule or WordPress user role restriction. Additionally, audit the widget's configuration history and review any stored content for signs of XSS payloads; if found, remove malicious entries from the database directly. Ensure all administrator accounts use strong, unique passwords and implement two-factor authentication to reduce the likelihood of unauthorized configuration changes. Monitor website traffic and user reports for signs of injected malicious scripts, including unexpected redirects or credential theft.

Share

EUVD-2026-11850 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy