{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32491", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:00.510Z", "datePublished": "2026-03-25T16:14:58.745Z", "dateUpdated": "2026-03-25T20:20:18.524Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-facebook-reviews", "product": "WP Review Slider", "vendor": "jgwhite33", "versions": [{"changes": [{"at": "14.0", "status": "unaffected"}], "lessThanOrEqual": "<= 13.9", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Doan Dinh Van | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:37.402Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jgwhite33 WP Review Slider wp-facebook-reviews allows Stored XSS.<p>This issue affects WP Review Slider: from n/a through <= 13.9.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jgwhite33 WP Review Slider wp-facebook-reviews allows Stored XSS.This issue affects WP Review Slider: from n/a through <= 13.9."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:58.745Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-facebook-reviews/vulnerability/wordpress-wp-review-slider-plugin-13-9-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress WP Review Slider plugin <= 13.9 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:20:14.813524Z", "id": "CVE-2026-32491", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:20:18.524Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32491", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:20:14.813524Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:20:07.735Z"}}], "cna": {"title": "WordPress WP Review Slider plugin <= 13.9 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Doan Dinh Van | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "affected": [{"vendor": "jgwhite33", "product": "WP Review Slider", "versions": [{"status": "affected", "changes": [{"at": "14.0", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 13.9"}], "packageName": "wp-facebook-reviews", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:37.402Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-facebook-reviews/vulnerability/wordpress-wp-review-slider-plugin-13-9-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jgwhite33 WP Review Slider wp-facebook-reviews allows Stored XSS.This issue affects WP Review Slider: from n/a through <= 13.9.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jgwhite33 WP Review Slider wp-facebook-reviews allows Stored XSS.<p>This issue affects WP Review Slider: from n/a through <= 13.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:58.745Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32491", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:20:18.524Z", "dateReserved": "2026-03-12T11:12:00.510Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:58.745Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jgwhite33 WP Review Slider wp-facebook-reviews allows Stored XSS.This issue affects WP Review Slider: from n/a through <= 13.9."}], "id": "CVE-2026-32491", "lastModified": "2026-03-25T21:16:42.163", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:17:00.693", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-facebook-reviews/vulnerability/wordpress-wp-review-slider-plugin-13-9-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:35:48.237957+00:00", "value": {"mitigation_remediation": ["Update WP Review Slider to version 14.0 or later.", "If immediate update is not possible, temporarily remove or disable the plugin until a patch is applied.", "Review all input fields associated with the plugin for proper sanitization and consider additional WAF rules to block malicious scripts."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the jgwhite33 WP Review Slider plugin version 13.9 and earlier. Any WordPress site that has the plugin installed and has not upgraded past this version is affected.", "description_and_impact": "The WP Review Slider plugin (wp\u2011facebook\u2011reviews) contains a stored cross\u2011site scripting flaw that allows an attacker to inject malicious script code into web pages displayed to visitors. Because the input is not properly neutralized during page generation, scripts can run in the context of any user who views the affected page. This can lead to session hijacking, credential theft, defacement, or the execution of arbitrary actions on behalf of the user.", "risk_and_exploitability": "No EPSS score is available and the issue is not listed in the CISA KEV catalog. Nevertheless, the use of stored XSS makes the flaw potentially exploitable by unauthenticated or low\u2011privilege users who can enter data into admin fields or public forms that the plugin processes. Attackers could gain the ability to run arbitrary scripts in the browsers of site visitors, which is a high\u2011severity impact. Because the vulnerability is in a third\u2011party plugin, it is often discovered through open\u2011source scanning and may receive rapid community patches."}}}}, "created": "2026-03-25T21:43:37.475343+00:00", "updated": "2026-03-25T21:43:37.475368+00:00", "vendors": []}