Impact
The WP Google Review Slider plugin is vulnerable to reflected cross‑site scripting through the 'place' parameter in admin/partials/googlecrawl_dfs.php. Unsanitized input is URL‑decoded, stripped, and echoed directly into an HTML attribute, allowing an attacker to inject arbitrary JavaScript. Because the attack is client‑side, an unauthenticated adversary can deliver malicious scripts to any user who clicks a crafted link, potentially stealing credentials, defacing pages, or initiating phishing campaigns. The CWE in play is CWE‑79, indicating insufficient input validation.
Affected Systems
The vulnerability affects the jgwhite33 WP Google Review Slider plugin for WordPress in all releases up to and including version 18.1. WordPress sites that have this plugin installed are at risk unless they update to a newer release where the fix has been applied.
Risk and Exploitability
The CVSS score the issue in the medium severity range. No EPSS data is available, and it has not been listed in CISA’s KEV catalog, but the reliance on a crafted URL and the need for user interaction means the threat is focused on social engineering or phishing campaigns. The risk is heightened on high‑traffic sites or those that expose the plugin’s admin interface to public users. As the vulnerability can be triggered by an unauthenticated attacker, the potential impact to affected users remains significant.
OpenCVE Enrichment