Favicon Rotator
Monthly
Reflected/stored cross-site scripting in the Favicon Rotator WordPress plugin (versions 1.2.11 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The CVSS scope-changed vector (S:C) indicates the injected script can impact resources beyond the vulnerable plugin component, typically the entire WordPress site context. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, but the unauthenticated nature combined with WordPress's broad install base elevates real-world concern.
Reflected/stored cross-site scripting in the Favicon Rotator WordPress plugin (versions 1.2.11 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The CVSS scope-changed vector (S:C) indicates the injected script can impact resources beyond the vulnerable plugin component, typically the entire WordPress site context. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, but the unauthenticated nature combined with WordPress's broad install base elevates real-world concern.