Skip to main content

Widgets for Google Reviews EUVDEUVD-2026-43155

| CVE-2026-11591 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-11 Wordfence GHSA-qc9w-x5m9-8667
4.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
4.0 MEDIUM

Network-accessible admin panel; AC:H for mandatory non-default deployment conditions; PR:H for required editor role; UI:R corrected from provided vector since a victim must visit the injected page for script execution; scope change and limited C/I impact preserved.

3.1 AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 07:06 vuln.today
CVE Published
Jul 11, 2026 - 05:35 cve.org
MEDIUM 4.4

DescriptionCVE.org

The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

AnalysisAI

Stored Cross-Site Scripting in the Widgets for Google Reviews WordPress plugin (versions ≤ 13.3) enables authenticated attackers holding editor-level WordPress roles to inject persistent JavaScript through admin settings, which then executes in any site visitor's browser on pages rendering the compromised widget. Exploitation is gated by two environmental prerequisites - multi-site WordPress deployments or single-site installs where unfiltered_html has been explicitly disabled - substantially narrowing the attack surface despite the network-accessible entry point. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain editor-level WordPress credentials
Delivery
Navigate to Widgets for Google Reviews admin settings
Exploit
Inject JavaScript payload into widget configuration field
Install
Payload persisted in WordPress database
C2
Victim user visits page rendering the compromised widget
Execute
Malicious script executes in victim's browser context
Impact
Session tokens or sensitive data exfiltrated

Vulnerability AssessmentAI

Exploitation Two explicit prerequisites must both be satisfied: (1) The attacker must hold an authenticated WordPress account with editor-level permissions or higher - unauthenticated users and lower-privileged roles (Subscriber, Contributor, Author) cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 4.4 (Medium) with vector AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N signals limited real-world priority for most deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with an editor account on a WordPress multi-site network navigates to the Widgets for Google Reviews plugin settings and injects a JavaScript payload (e.g., a cookie-stealing script) into a widget configuration field such as the free widget configurator. The payload is saved to the database; any site visitor - including administrators - who subsequently loads a page containing that Google Reviews widget has the script silently execute in their browser, potentially exfiltrating session tokens or credentials to an attacker-controlled endpoint. …
Remediation Update the Widgets for Google Reviews plugin to the version released after changeset 3584904 in the WordPress plugin repository (https://plugins.trac.wordpress.org/changeset?reponame=&old=3584904%40wp-reviews-plugin-for-google&new=3584904%40wp-reviews-plugin-for-google); an exact patched release number is not independently confirmed from available data, so verify the current version in the WordPress.org plugin directory changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43155 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy