CVE-2026-4161 in Review Map by RevuKangaroo Plugin
Summary
by MITRE • 03/21/2026
The Review Map by RevuKangaroo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-4161 affects the Review Map by RevuKangaroo WordPress plugin, specifically targeting versions up to and including 1.7. This represents a critical stored cross-site scripting vulnerability that exploits insufficient input sanitization and output escaping mechanisms within the plugin's settings interface. The flaw exists in how the plugin handles user input when processing configuration parameters, creating an avenue for malicious code injection that persists in the database and executes whenever affected pages are accessed.
The technical nature of this vulnerability stems from the plugin's failure to properly sanitize and escape user-supplied data before storing it in the WordPress database and subsequently rendering it in web pages. When administrators modify plugin settings, the input validation mechanisms are inadequate, allowing malicious scripts to be stored as part of the configuration data. This stored payload executes in the context of other users' browsers who access pages containing the injected content, making it a persistent threat that can affect multiple users within the same WordPress installation.
The operational impact of this vulnerability is particularly severe given that it requires only administrator-level access or higher to exploit, making it a significant risk for multi-site WordPress installations. Attackers with elevated privileges can inject malicious JavaScript code that executes whenever legitimate users access pages where the stored content is rendered. This creates a potential for data theft, session hijacking, or redirection to malicious sites. The vulnerability specifically targets multi-site installations, which are common in enterprise environments, and installations where unfiltered_html has been disabled, indicating that the attack vector is particularly dangerous in security-hardened environments.
The vulnerability aligns with CWE-79, which describes cross-site scripting flaws, and maps to ATT&CK technique T1059.007 for JavaScript execution. The attack requires authenticated access, placing it in the category of privilege escalation vulnerabilities that can be exploited by compromised administrator accounts or insider threats. The impact extends beyond simple script execution, as the malicious code can potentially access user sessions, steal cookies, or redirect users to phishing sites. Organizations with multi-site WordPress installations are particularly vulnerable since the attack can propagate across multiple sites within the network.
Mitigation strategies should include immediate patching of the plugin to version 1.8 or later, which addresses the input sanitization and output escaping issues. Administrators should also implement network-level monitoring to detect unusual script injection patterns and consider implementing content security policies to prevent execution of unauthorized scripts. Additionally, regular security audits of WordPress plugins and themes should be conducted to identify similar vulnerabilities, and privileged accounts should be protected through multi-factor authentication and strict access controls. The vulnerability demonstrates the importance of proper input validation and output escaping in web applications, particularly in CMS environments where multiple users with varying privilege levels can modify system configurations.