CVE-2026-32360 in Rich Showcase for Google Reviews Plugin
Summary
by MITRE • 03/13/2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in richplugins Rich Showcase for Google Reviews widget-google-reviews allows Stored XSS.This issue affects Rich Showcase for Google Reviews: from n/a through <= 6.9.4.3.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2026-32360 represents a critical cross-site scripting weakness within the richplugins Rich Showcase for Google Reviews widget, specifically impacting versions up to and including 6.9.4.3. This stored XSS vulnerability occurs during the web page generation process when user input is not properly sanitized before being rendered back to users. The flaw enables attackers to inject malicious scripts that persist in the application's database and execute whenever affected pages are loaded, making it particularly dangerous for content management systems where user-generated content is prevalent.
The technical implementation of this vulnerability stems from inadequate input validation and output encoding mechanisms within the widget's processing pipeline. When users submit reviews or other content through the Google Reviews widget, the system fails to properly neutralize potentially malicious input before storing it in the database. This stored data is then retrieved and displayed on web pages without appropriate sanitization, creating an environment where attacker-controlled scripts can execute in the context of other users' browsers. The vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws, and aligns with ATT&CK technique T1566.001 for initial access through malicious content.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to hijack user sessions, steal sensitive information, manipulate data, or redirect users to malicious websites. Given that this affects a widget designed for displaying Google reviews, the attack surface includes not only the widget itself but potentially the entire WordPress installation if proper security measures are not in place. The stored nature of the vulnerability means that once exploited, the malicious code will persistently affect all users who view the affected pages, making it particularly damaging for websites that rely heavily on user-generated content and reviews.
Mitigation strategies should focus on immediate input sanitization and output encoding improvements, including implementing proper HTML entity encoding for all user-supplied content before storage and rendering. Organizations should update to the latest version of the Rich Showcase for Google Reviews widget where this vulnerability has been patched, and implement additional security measures such as content security policies to limit script execution capabilities. Regular security audits and input validation testing should be conducted to prevent similar vulnerabilities from emerging in other components of the application stack. The vulnerability also highlights the importance of following secure coding practices and adhering to OWASP Top Ten guidelines for preventing XSS attacks in web applications.