CVE-2026-32491
Stored XSS in WP Review Slider Plugin Allows Persistent Attacks
Publication date: 2026-03-25
Last updated on: 2026-03-25
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jgwhite33 | wp_review_slider | to 13.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32491 is a medium severity Cross Site Scripting (XSS) vulnerability in the WordPress WP Review Slider Plugin versions up to and including 13.9.
This vulnerability allows attackers to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, into websites using the plugin.
These malicious scripts execute when visitors access the compromised site.
Exploitation requires a privileged user role (such as a subscriber or developer) to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary.
The vulnerability is classified under the OWASP Top 10 category A3: Injection and has a CVSS score of 6.5, indicating moderate risk.
The issue was reported on January 12, 2026, and patched in version 14.0 of the plugin.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject and execute malicious scripts on your website if you use the vulnerable WP Review Slider Plugin.
Such scripts can redirect visitors to malicious sites, display unwanted advertisements, or perform other harmful actions.
Because the attack requires user interaction by a privileged user, it can lead to unauthorized actions or compromise of user data.
The vulnerability is moderately dangerous and expected to be targeted in mass-exploit campaigns affecting many websites.
To mitigate the risk, users should update the plugin to version 14.0 or later and can use Patchstack mitigation rules and auto-update options.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Stored Cross Site Scripting (XSS) issue in the WP Review Slider Plugin versions up to 13.9. Detection involves identifying if your WordPress site is running a vulnerable version of this plugin.
You can check the installed plugin version using WordPress CLI commands or by inspecting the plugin details in the WordPress admin dashboard.
- Using WP-CLI, run: wp plugin list | grep wp-review-slider
- Check the plugin version output to see if it is 13.9 or lower.
Additionally, monitoring web traffic for suspicious script injections or unexpected HTML payloads in pages generated by the plugin can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the WP Review Slider Plugin to version 14.0 or later, where the vulnerability is patched.
Until the update can be applied, you can use mitigation rules provided by Patchstack that block attacks exploiting this vulnerability.
Enforce strict user role management to limit privileged user interactions that could trigger the exploit.
Consider enabling auto-update options for the plugin to ensure rapid protection against this and future vulnerabilities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how CVE-2026-32491 impacts compliance with common standards and regulations such as GDPR or HIPAA.