Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Stored XSS.This issue affects ArtPlacer Widget: from n/a through <= 2.23.2.
Published: 2026-01-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side code execution via stored XSS
Action: Immediate Patch
AI Analysis

Impact

The ArtPlacer Widget plugin for WordPress contains a stored cross‑site scripting vulnerability that allows an attacker to inject arbitrary JavaScript into pages served by the site. When a crafted input is saved by the plugin and later rendered, any visitor to the affected page will execute the injected script in their browser. This can lead to defacement, credential theft, or further manipulation of the user session.

Affected Systems

The vulnerability exists in all releases of the ArtPlacer Widget plugin from the first public version up to and including 2.23.2. All WordPress sites that have installed any of these plugin versions are potentially affected. The plugin is distributed under the vendor name ArtPlacer Widget.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, and the reported exploitation probability is deemed very low. The vulnerability does not appear in CISA’s Known Exploited Vulnerabilities catalog. Exploitation requires the injection of malicious input that is stored by the plugin, typically through an administrative or content‑creation interface. Once stored, the payload is served to any visitor, rendering the attack a client‑side, web‑application‑level vector. Based on the description, the likely attack vector is the plugin’s input fields that accept user‑provided data and display it without proper sanitization.

Generated by OpenCVE AI on April 28, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ArtPlacer Widget plugin to a newer version (any release newer than 2.23.2).
  • If an update is not immediately available, temporarily deactivate or delete the plugin until a patched version is released.
  • Ensure that any user‑provided content entered through the plugin is properly sanitized or escaped using WordPress’s core functions before being stored or displayed.

Generated by OpenCVE AI on April 28, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Stored XSS.This issue affects ArtPlacer Widget: from n/a through <= 2.23.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Stored XSS.This issue affects ArtPlacer Widget: from n/a through <= 2.23.2.
Title WordPress ArtPlacer Widget plugin <= 2.23.1 - Cross Site Scripting (XSS) vulnerability WordPress ArtPlacer Widget plugin <= 2.23.2 - Cross Site Scripting (XSS) vulnerability

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Artplacer
Artplacer artplacer Widget
Wordpress
Wordpress wordpress
Vendors & Products Artplacer
Artplacer artplacer Widget
Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Stored XSS.This issue affects ArtPlacer Widget: from n/a through <= 2.23.1.
Title WordPress ArtPlacer Widget plugin <= 2.23.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Artplacer Artplacer Widget
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:49.081Z

Reserved: 2026-01-23T12:31:51.715Z

Link: CVE-2026-24555

cve-icon Vulnrichment

Updated: 2026-01-23T21:26:56.040Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:12.210

Modified: 2026-04-28T15:16:13.530

Link: CVE-2026-24555

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:00:14Z

Weaknesses