The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
History

Sat, 11 Jul 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Trustindex
Trustindex widgets For Google Reviews
Wordpress
Wordpress wordpress
Vendors & Products Trustindex
Trustindex widgets For Google Reviews
Wordpress
Wordpress wordpress

Sat, 11 Jul 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Widgets for Google Reviews <= 13.3 - Authenticated (Editor+) Stored Cross-Site Scripting via 'fomo-title' and 'fomo-text' Parameters
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-11T05:35:47.927Z

Reserved: 2026-06-08T13:46:43.638Z

Link: CVE-2026-11591

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-11T07:30:03Z