CVE-2026-1647
Reflected XSS in Comment Genius Plugin β€ 1.2.5 Enables Script Injection
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| comment_genius | plugin | to 1.2.5 (inc) |
| basilis_kanonidis | comment_genius | to 1.2.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Comment Genius plugin for WordPress, up to and including version 1.2.5, is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_SERVER['PHP_SELF'] parameter.
This vulnerability arises because the plugin does not properly sanitize or escape input from this parameter, allowing unauthenticated attackers to inject arbitrary web scripts.
If an attacker tricks a user into clicking a specially crafted link, the injected script can execute in the context of the user's browser.
How can this vulnerability impact me? :
This Reflected Cross-Site Scripting vulnerability can impact users by allowing attackers to execute malicious scripts in their browsers when they interact with crafted links.
Potential impacts include theft of user credentials, session hijacking, defacement of web pages, or redirection to malicious sites.
Since the vulnerability requires user interaction (clicking a link), it can be exploited through phishing or social engineering attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The Comment Genius plugin for WordPress versions up to and including 1.2.5 is vulnerable to reflected cross-site scripting due to insufficient input sanitization.
Immediate mitigation steps include disabling or uninstalling the Comment Genius plugin until a secure update is released.
Since the plugin has been temporarily closed and is no longer available for download pending a full security review, avoid using it in your WordPress environment.
Additionally, ensure that your WordPress installation and all other plugins are kept up to date to reduce exposure to similar vulnerabilities.