Executive Summary

CVE-2026-39674 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress MK Google Directions Plugin versions up to and including 3.1.1.

This vulnerability is classified under the OWASP Top 10 category A3: Injection and allows attackers to inject malicious scripts—such as redirects, advertisements, or other HTML payloads—into websites using the vulnerable plugin.

These malicious scripts execute when site visitors access the compromised pages.

Exploitation requires a user with at least Contributor-level privileges to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary for the attack to succeed.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows attackers to inject and execute malicious scripts on websites using the vulnerable plugin.

• Attackers can perform redirects to malicious sites.
• Attackers can display unwanted advertisements.
• Attackers can inject other harmful HTML payloads that may compromise user experience or security.

Exploitation requires user interaction and at least Contributor-level privileges, which limits the impact somewhat.

Despite the potential for mass exploitation campaigns, the vulnerability is considered low priority due to its limited impact.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is a DOM-Based Cross Site Scripting (XSS) issue in the MK Google Directions Plugin up to version 3.1.1. Detection typically involves checking if the vulnerable plugin version is installed and monitoring for injected malicious scripts in web pages generated by the plugin.

Since this is a web application vulnerability requiring user interaction, detection can include reviewing web server logs for suspicious requests or payloads, and scanning the website pages for injected scripts.

No specific commands are provided in the available resources, but general approaches include:

• Using web vulnerability scanners that detect XSS vulnerabilities on the affected plugin pages.
• Manually inspecting the source code of pages generated by the plugin for unexpected script injections.
• Checking the installed plugin version in WordPress to confirm if it is version 3.1.1 or earlier.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating the MK Google Directions Plugin to a fixed version if an update is released.

Since no official patch is currently available, it is recommended to seek assistance from hosting providers or web developers to implement temporary protections.

Additional mitigation can involve limiting user privileges to prevent attackers from exploiting the vulnerability, as exploitation requires at least Contributor-level user interaction.

Monitoring and filtering inputs to the plugin and applying web application firewall (WAF) rules to block malicious payloads may also help reduce risk.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-39674 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0