Description
The Geo Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL path in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-14
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Geo Widget plugin for WordPress stores malicious scripts through an unsanitized URL path, allowing an unauthenticated attacker to embed arbitrary JavaScript that executes whenever a user visits the affected page. This stored Cross‑Site Scripting flaw can lead to session hijacking, defacement, or redirection of legitimate users, impacting confidentiality and integrity of the site’s data and user interactions.

Affected Systems

All installations of the Geo Widget plugin for WordPress with versions up to and including 1.0 are vulnerable. The vulnerability stems from insufficient input validation and output escaping within the plugin’s URL handling code.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog. An attacker can exploit the vulnerability by crafting a malicious URL that contains an injected script and directing victims to that URL; no special privileges are required.

Generated by OpenCVE AI on April 15, 2026 at 18:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Geo Widget plugin to a version newer than 1.0 if available.
  • If an update is not available, uninstall or disable the plugin to eliminate the attack surface.
  • Implement a web application firewall or corresponding Content Security Policy to block execution of inline scripts for the affected path.

Generated by OpenCVE AI on April 15, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Owencutajar
Owencutajar geo Widget
Wordpress
Wordpress wordpress
Vendors & Products Owencutajar
Owencutajar geo Widget
Wordpress
Wordpress wordpress

Sat, 14 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Geo Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL path in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Geo Widet <= 1.0 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Owencutajar Geo Widget
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:48.305Z

Reserved: 2026-02-03T07:42:53.415Z

Link: CVE-2026-1792

cve-icon Vulnrichment

Updated: 2026-02-17T15:36:46.371Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T07:16:10.553

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1792

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:45:11Z

Weaknesses