CVE-2026-42643
Stored XSS in StellarWP Image Widget
Publication date: 2026-04-29
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stellarwp | image_widget | From 4.0.0 (inc) to 4.4.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42643 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress Image Widget Plugin versions up to and including 4.4.11.
This vulnerability allows attackers to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβinto websites using the plugin.
These malicious scripts execute when visitors access the compromised site.
Exploitation requires an attacker with author or developer-level privileges to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary for successful exploitation.
How can this vulnerability impact me? :
The vulnerability can lead to attackers injecting and executing malicious scripts on your website, which can result in unauthorized redirects, display of unwanted advertisements, or other harmful HTML payloads.
This can compromise the integrity and trustworthiness of your website for visitors.
Because exploitation requires user interaction and certain privileges, the risk is moderate but still significant.
The vulnerability has a CVSS score of 5.9, indicating moderate severity.
Users are strongly advised to update to version 4.4.12 or later of the Image Widget Plugin to mitigate this risk.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-42643 vulnerability in the StellarWP Image Widget Plugin, users should update the plugin to version 4.4.12 or later, where the vulnerability is patched.
Patchstack offers automated updates specifically for vulnerable plugins to facilitate rapid protection, which can be used to quickly secure affected systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-42643 vulnerability is a Cross Site Scripting (XSS) issue that allows attackers to inject malicious scripts into websites using the affected plugin. Such vulnerabilities can potentially lead to unauthorized access or manipulation of user data.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations. Exploitation could lead to data breaches or unauthorized data exposure, thereby impacting compliance.
Therefore, organizations using the affected plugin should consider this vulnerability a risk to their regulatory compliance and should apply the recommended patch to mitigate potential legal and security consequences.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WordPress Image Widget Plugin versions up to 4.4.11. Detection typically involves identifying if the vulnerable plugin version is installed and if malicious scripts have been injected into the website content.
To detect the presence of the vulnerable plugin version on your system, you can check the installed plugin version in WordPress. For example, using WP-CLI, you can run:
- wp plugin list --status=active
Look for the 'image-widget' plugin and verify if its version is less than or equal to 4.4.11.
To detect potential exploitation or injected malicious scripts, you can search your website files or database for suspicious script tags or payloads related to XSS. For example, using grep on your web root directory:
- grep -r --include=*.php '<script' /path/to/wordpress/wp-content/plugins/image-widget/
- grep -r --include=*.php 'onerror=' /path/to/wordpress/wp-content/plugins/image-widget/
Additionally, monitoring HTTP requests and responses for unexpected script injections or unusual user input handling can help detect exploitation attempts.
Ultimately, the best mitigation is to update the plugin to version 4.4.12 or later.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to the execution of malicious scripts on your website, potentially causing unauthorized redirects, displaying unwanted advertisements, or other harmful actions.
This can degrade user trust, harm your website's reputation, and potentially expose users to further attacks.
However, the overall impact is considered moderate with a CVSS score of 5.9, and exploitation requires specific privileges and user interaction.
Updating the plugin to version 4.4.12 or later mitigates this risk.
Can you explain this vulnerability to me?
CVE-2026-42643 is a Cross Site Scripting (XSS) vulnerability in the WordPress Image Widget Plugin versions up to and including 4.4.11.
This vulnerability allows attackers to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβinto websites using the plugin.
These malicious scripts execute when visitors access the compromised site.
Exploitation requires an attacker with author or developer-level privileges and some user interaction, such as clicking a malicious link or submitting a form.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the WordPress Image Widget Plugin version is 4.4.11 or earlier, as these versions are affected by the stored XSS issue.
Since exploitation requires an attacker with author or developer-level privileges to inject malicious scripts, monitoring for unusual script injections or unexpected HTML payloads in the widget content can help detect exploitation attempts.
Specific commands are not provided in the available resources, but typical detection steps could include:
- Checking the installed plugin version via WP-CLI: `wp plugin list | grep image-widget`
- Searching for suspicious script tags or HTML payloads in the database entries related to the Image Widget content.
- Monitoring web server logs for unusual requests or payloads that could indicate attempted XSS exploitation.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update the WordPress Image Widget Plugin to version 4.4.12 or later, where the vulnerability has been patched.
Users are strongly advised to apply this update as soon as possible to prevent exploitation.
Additionally, consider implementing automated updates for vulnerable plugins to facilitate rapid protection.
Limiting author or developer-level privileges and monitoring for suspicious activity can also reduce the risk of exploitation.