CVE-2026-42643
Received Received - Intake
Stored XSS in StellarWP Image Widget

Publication date: 2026-04-29

Last updated on: 2026-04-29

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP Image Widget image-widget allows Stored XSS.This issue affects Image Widget: from n/a through <= 4.4.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42643
EUVD
EUVD-2026-26214
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
stellarwp image_widget From 4.0.0 (inc) to 4.4.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

If exploited, this vulnerability can lead to the execution of malicious scripts on your website, potentially causing unauthorized redirects, displaying unwanted advertisements, or other harmful actions.

This can degrade user trust, harm your website's reputation, and potentially expose users to further attacks.

However, the overall impact is considered moderate with a CVSS score of 5.9, and exploitation requires specific privileges and user interaction.

Updating the plugin to version 4.4.12 or later mitigates this risk.

Executive Summary

CVE-2026-42643 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress Image Widget Plugin versions up to and including 4.4.11.

This vulnerability allows attackers to inject malicious scriptsβ€”such as redirects, advertisements, or other HTML payloadsβ€”into websites using the plugin.

These malicious scripts execute when visitors access the compromised site.

Exploitation requires an attacker with author or developer-level privileges to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary for successful exploitation.

Impact Analysis

The vulnerability can lead to attackers injecting and executing malicious scripts on your website, which can result in unauthorized redirects, display of unwanted advertisements, or other harmful HTML payloads.

This can compromise the integrity and trustworthiness of your website for visitors.

Because exploitation requires user interaction and certain privileges, the risk is moderate but still significant.

The vulnerability has a CVSS score of 5.9, indicating moderate severity.

Users are strongly advised to update to version 4.4.12 or later of the Image Widget Plugin to mitigate this risk.

Mitigation Strategies

To mitigate the CVE-2026-42643 vulnerability in the StellarWP Image Widget Plugin, users should update the plugin to version 4.4.12 or later, where the vulnerability is patched.

Patchstack offers automated updates specifically for vulnerable plugins to facilitate rapid protection, which can be used to quickly secure affected systems.

Compliance Impact

The CVE-2026-42643 vulnerability is a Cross Site Scripting (XSS) issue that allows attackers to inject malicious scripts into websites using the affected plugin. Such vulnerabilities can potentially lead to unauthorized access or manipulation of user data.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations. Exploitation could lead to data breaches or unauthorized data exposure, thereby impacting compliance.

Therefore, organizations using the affected plugin should consider this vulnerability a risk to their regulatory compliance and should apply the recommended patch to mitigate potential legal and security consequences.

Detection Guidance

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WordPress Image Widget Plugin versions up to 4.4.11. Detection typically involves identifying if the vulnerable plugin version is installed and if malicious scripts have been injected into the website content.

To detect the presence of the vulnerable plugin version on your system, you can check the installed plugin version in WordPress. For example, using WP-CLI, you can run:

  • wp plugin list --status=active

Look for the 'image-widget' plugin and verify if its version is less than or equal to 4.4.11.

To detect potential exploitation or injected malicious scripts, you can search your website files or database for suspicious script tags or payloads related to XSS. For example, using grep on your web root directory:

  • grep -r --include=*.php '<script' /path/to/wordpress/wp-content/plugins/image-widget/
  • grep -r --include=*.php 'onerror=' /path/to/wordpress/wp-content/plugins/image-widget/

Additionally, monitoring HTTP requests and responses for unexpected script injections or unusual user input handling can help detect exploitation attempts.

Ultimately, the best mitigation is to update the plugin to version 4.4.12 or later.

Executive Summary

CVE-2026-42643 is a Cross Site Scripting (XSS) vulnerability in the WordPress Image Widget Plugin versions up to and including 4.4.11.

This vulnerability allows attackers to inject malicious scriptsβ€”such as redirects, advertisements, or other HTML payloadsβ€”into websites using the plugin.

These malicious scripts execute when visitors access the compromised site.

Exploitation requires an attacker with author or developer-level privileges and some user interaction, such as clicking a malicious link or submitting a form.

Detection Guidance

Detection of this vulnerability involves identifying if the WordPress Image Widget Plugin version is 4.4.11 or earlier, as these versions are affected by the stored XSS issue.

Since exploitation requires an attacker with author or developer-level privileges to inject malicious scripts, monitoring for unusual script injections or unexpected HTML payloads in the widget content can help detect exploitation attempts.

Specific commands are not provided in the available resources, but typical detection steps could include:

  • Checking the installed plugin version via WP-CLI: `wp plugin list | grep image-widget`
  • Searching for suspicious script tags or HTML payloads in the database entries related to the Image Widget content.
  • Monitoring web server logs for unusual requests or payloads that could indicate attempted XSS exploitation.
Mitigation Strategies

The primary and immediate mitigation step is to update the WordPress Image Widget Plugin to version 4.4.12 or later, where the vulnerability has been patched.

Users are strongly advised to apply this update as soon as possible to prevent exploitation.

Additionally, consider implementing automated updates for vulnerable plugins to facilitate rapid protection.

Limiting author or developer-level privileges and monitoring for suspicious activity can also reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42643. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart