Skip to main content

Favicon WordPress Plugin EUVDEUVD-2026-32202

| CVE-2026-42754 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-27 audit@patchstack.com GHSA-pm54-33vh-rrvj
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:38 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in phbernard Favicon favicon-by-realfavicongenerator allows Reflected XSS.This issue affects Favicon: from n/a through <= 1.3.46.

AnalysisAI

Reflected cross-site scripting in the Favicon plugin by RealFaviconGenerator (phbernard) for WordPress affects all releases up to and including version 1.3.46, allowing unauthenticated attackers to deliver a crafted link that, when opened by a victim, executes attacker-controlled JavaScript in that user's browser session. The CVSS 3.1 base score is 7.1, driven largely by a scope change (S:C) that lets the injected script reach resources beyond the plugin itself, though exploitation requires user interaction. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; EPSS is very low at 0.03% (10th percentile), indicating little observed exploitation interest so far.

Technical ContextAI

The flaw is a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue in a WordPress plugin that integrates favicon generation from RealFaviconGenerator. As a reflected XSS, user-supplied input from a request parameter is echoed back into a generated web page without proper output encoding or input sanitization, so a browser parsing the response treats attacker-supplied markup as executable script. Because the CVSS vector marks scope as changed (S:C), the executing script can affect the security context of the broader WordPress application - for example acting within an authenticated administrator's session - rather than being contained to the plugin component. No CPE strings were supplied in the source data; product identity is established from the plugin slug favicon-by-realfavicongenerator and the EUVD/Patchstack records.

RemediationAI

No vendor-released patch version is identified in the provided data - the affected range ends at 1.3.46 with no confirmed fixed release named - so the primary action is to monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/favicon-by-realfavicongenerator/vulnerability/wordpress-favicon-plugin-1-3-46-cross-site-scripting-xss-vulnerability?_s_id=cve) and the WordPress plugin repository, then upgrade to the first release published after 1.3.46 once the vendor confirms a fix. Until a patched version is verified, apply virtual patching through a WordPress WAF (such as Patchstack or Wordfence) to filter the reflected XSS payload, which carries minimal functional side effects; if the plugin is not essential, deactivating and removing it eliminates the exposure entirely at the cost of losing favicon-management functionality. Because exploitation depends on a victim opening a malicious link, also reinforce that administrators avoid clicking untrusted links to the site's admin URLs, and consider tightening Content-Security-Policy headers to reduce the impact of injected script, accepting that strict CSP can break inline scripts used by other plugins.

Share

EUVD-2026-32202 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy