CVE-2026-11591 in Widgets for Google Reviews Plugin
Summary
by MITRE • 07/11/2026
The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/11/2026
The Widgets for Google Reviews plugin for WordPress presents a critical stored cross-site scripting vulnerability that affects all versions up to and including 13.3. This security flaw resides within the plugin's admin settings functionality and represents a significant threat to WordPress environments that rely on this popular review display tool. The vulnerability stems from inadequate input sanitization measures and insufficient output escaping mechanisms, creating a persistent attack vector that can compromise user sessions and execute malicious code within the context of affected websites.
The technical implementation of this vulnerability allows authenticated attackers who possess editor-level permissions or higher to inject arbitrary web scripts into the plugin's administrative interface. These injected scripts become permanently stored within the WordPress database and execute whenever any user accesses pages containing the malicious content. The flaw specifically targets multi-site installations where unfiltered_html has been disabled, indicating that the vulnerability exploits the security restrictions designed to prevent script injection in these environments. This creates a paradoxical situation where the very security measures intended to protect against such attacks actually enable the vulnerability to persist in specific configurations.
The operational impact of this vulnerability extends beyond simple script execution, potentially allowing attackers to escalate privileges and compromise entire WordPress installations. When combined with the multi-site installation requirement, the attack surface expands significantly as administrators managing multiple sites become vulnerable to persistent cross-site scripting attacks that can propagate across their network of WordPress deployments. The vulnerability affects any user who accesses pages containing the injected scripts, making it particularly dangerous in environments where editors and administrators regularly review content or access plugin settings.
This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications, and demonstrates characteristics consistent with ATT&CK technique T1548.003 related to abuse of group permissions for privilege escalation. Organizations should immediately implement mitigation strategies including immediate plugin updates to versions that address the input sanitization issues, restricting user permissions to minimize potential attack vectors, and implementing additional security layers such as web application firewalls. The vulnerability underscores the critical importance of proper input validation and output escaping in WordPress plugins, particularly those handling user-generated content or administrative settings where privileged access can be leveraged for persistent attacks.