CVE-2026-24621
BaseFortify
Publication date: 2026-01-23
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | terms_descriptions | to 3.4.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24621 is a Cross Site Scripting (XSS) vulnerability in the WordPress Terms Descriptions Plugin (versions up to 3.4.9). It allows an attacker to inject malicious scripts into web pages generated by the plugin. These scripts can execute when visitors access the compromised site. Exploitation requires an administrator-level user to interact with a malicious link, page, or form. This vulnerability falls under the OWASP Top 10 category A3: Injection and has a moderate severity score of 5.9. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to inject malicious scripts such as redirects, advertisements, or other HTML payloads that execute in the context of the website. This can lead to unauthorized actions, user session hijacking, or displaying unwanted content to visitors. However, exploitation requires administrator interaction, and the overall impact is considered low priority and unlikely to be widely exploited. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this DOM-Based XSS vulnerability involves monitoring for suspicious administrator-level actions such as clicking malicious links, visiting crafted pages, or submitting forms that could trigger script injection. Since the vulnerability requires user interaction with privileged access, reviewing web server logs for unusual administrator activity or unexpected input in Terms Descriptions plugin pages may help. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting administrator-level user interactions with untrusted links or pages, monitoring for suspicious activity, and using Patchstack's mitigation services which provide rapid protection against this and similar vulnerabilities. Since no official fix or patched version is available as of the publication date, applying such mitigation services is recommended. [1]