Skip to main content

Editorial Rating Product Review Rating System

1 CVEs product

Monthly

CVE-2026-12560 MEDIUM This Month

Stored Cross-Site Scripting in the Editorial Rating - Product Review & Rating System WordPress plugin (versions ≤ 4.0.5) enables authenticated administrators to inject persistent JavaScript payloads via the 'Link URL' field, which execute in any site visitor's browser upon loading an affected review page. The attack exploits a WordPress-specific sanitization bypass: because the payload is stored in post meta (_wpas_er_options via update_post_meta) rather than post_content or post_excerpt, WordPress's unfiltered_html capability exemption does not apply, meaning the restriction affects all administrators regardless of their unfiltered_html status. No public exploit has been identified at time of analysis and no active exploitation is confirmed; real-world risk is substantially constrained by the PR:H (administrator) prerequisite.

WordPress XSS Editorial Rating Product Review Rating System
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Editorial Rating - Product Review & Rating System WordPress plugin (versions ≤ 4.0.5) enables authenticated administrators to inject persistent JavaScript payloads via the 'Link URL' field, which execute in any site visitor's browser upon loading an affected review page. The attack exploits a WordPress-specific sanitization bypass: because the payload is stored in post meta (_wpas_er_options via update_post_meta) rather than post_content or post_excerpt, WordPress's unfiltered_html capability exemption does not apply, meaning the restriction affects all administrators regardless of their unfiltered_html status. No public exploit has been identified at time of analysis and no active exploitation is confirmed; real-world risk is substantially constrained by the PR:H (administrator) prerequisite.

WordPress XSS Editorial Rating Product Review Rating System
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy