CVE-2026-39674
DOM-Based XSS in MK Google Directions Plugin
Publication date: 2026-04-08
Last updated on: 2026-04-08
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mk_google_directions | google_distance_calculator | to 3.1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39674 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress MK Google Directions Plugin versions up to and including 3.1.1.
This vulnerability is classified under the OWASP Top 10 category A3: Injection and allows attackers to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβinto websites using the vulnerable plugin.
These malicious scripts execute when site visitors access the compromised pages.
Exploitation requires a user with at least Contributor-level privileges to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary for the attack to succeed.
How can this vulnerability impact me? :
The vulnerability allows attackers to inject and execute malicious scripts on websites using the vulnerable plugin.
- Attackers can perform redirects to malicious sites.
- Attackers can display unwanted advertisements.
- Attackers can inject other harmful HTML payloads that may compromise user experience or security.
Exploitation requires user interaction and at least Contributor-level privileges, which limits the impact somewhat.
Despite the potential for mass exploitation campaigns, the vulnerability is considered low priority due to its limited impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a DOM-Based Cross Site Scripting (XSS) issue in the MK Google Directions Plugin up to version 3.1.1. Detection typically involves checking if the vulnerable plugin version is installed and monitoring for injected malicious scripts in web pages generated by the plugin.
Since this is a web application vulnerability requiring user interaction, detection can include reviewing web server logs for suspicious requests or payloads, and scanning the website pages for injected scripts.
No specific commands are provided in the available resources, but general approaches include:
- Using web vulnerability scanners that detect XSS vulnerabilities on the affected plugin pages.
- Manually inspecting the source code of pages generated by the plugin for unexpected script injections.
- Checking the installed plugin version in WordPress to confirm if it is version 3.1.1 or earlier.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-39674 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the MK Google Directions Plugin to a fixed version if an update is released.
Since no official patch is currently available, it is recommended to seek assistance from hosting providers or web developers to implement temporary protections.
Additional mitigation can involve limiting user privileges to prevent attackers from exploiting the vulnerability, as exploitation requires at least Contributor-level user interaction.
Monitoring and filtering inputs to the plugin and applying web application firewall (WAF) rules to block malicious payloads may also help reduce risk.