CVE-2026-24555
BaseFortify
Publication date: 2026-01-23
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| artplacer | artplacer_widget | to 2.23.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24555 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress ArtPlacer Widget Plugin versions up to 2.23.1. It allows an attacker to inject malicious scripts into web pages generated by the plugin. Exploitation requires a privileged user (Contributor or Developer) to interact with a crafted link, page, or form, which then causes the malicious script to execute when other site visitors access the affected pages. [1]
How can this vulnerability impact me? :
This vulnerability can lead to attackers injecting malicious scripts that execute in the browsers of site visitors. This can result in unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads. However, exploitation requires privileged user interaction, which limits the risk. The overall severity is moderate with a CVSS score of 6.5. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for suspicious input or script injections in the ArtPlacer Widget on your WordPress site, especially from users with Contributor or Developer privileges. Since exploitation requires user interaction with crafted inputs, you can check logs for unusual POST requests or URL parameters containing script tags or suspicious payloads. Commands to assist detection might include using web server logs analysis tools or grep commands such as: grep -i '<script' /path/to/access.log or grep -E '(<script|javascript:|onerror=)' /path/to/access.log. Additionally, scanning the affected pages for reflected or stored scripts using security tools or browser developer consoles can help identify exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or reviewing user privileges to limit who can perform actions as Contributors or Developers, since exploitation requires privileged user interaction. Avoid clicking suspicious links or submitting untrusted forms within the WordPress admin area. Monitor and sanitize inputs where possible. Since no official patch is available yet, consider disabling or removing the ArtPlacer Widget plugin until a fix is released. Implementing Web Application Firewall (WAF) rules to block common XSS payloads targeting this plugin can also reduce risk. [1]