CVE-2026-24558
BaseFortify
Publication date: 2026-01-23
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| antoniobg | abg_rich_pins | to 1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24558 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress ABG Rich Pins Plugin versions up to and including 1.1. It allows an attacker to inject malicious scripts into web pages generated by the plugin. The attack requires a privileged user, such as a contributor or developer, to interact with a crafted link, page, or form. Once exploited, the malicious scripts can execute when visitors access the compromised site, potentially causing redirects, displaying unwanted advertisements, or executing other harmful HTML payloads. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject and execute malicious scripts on your website, which can lead to unauthorized redirects, display of unwanted advertisements, or other harmful actions affecting site visitors. It requires interaction from a privileged user to be exploited, and while it has a moderate risk level (CVSS 6.5), it is considered low priority with low severity impact and unlikely to be widely exploited. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this Stored Cross-Site Scripting (XSS) vulnerability in the ABG Rich Pins plugin involves monitoring for unusual script injections or unexpected HTML payloads in the content generated by privileged users such as contributors or developers. Since exploitation requires user interaction (e.g., clicking malicious links or submitting crafted forms), reviewing logs for suspicious user actions or scanning the website content for injected scripts may help. However, no specific detection commands or tools are provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include limiting the privileges of users who can interact with the plugin to reduce the risk of exploitation, monitoring for suspicious activity, and applying any available security intelligence or mitigation guidance from services like Patchstack. Since no official fix is currently available, it is recommended to follow best practices such as restricting access, educating users about phishing or malicious links, and keeping the plugin updated if future patches are released. [1]