Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in antoniobg ABG Rich Pins abg-rich-pins allows Stored XSS.This issue affects ABG Rich Pins: from n/a through <= 1.1.
Published: 2026-01-23
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

The ABG Rich Pins WordPress plugin suffers from an improper neutralization of input during web page generation, which allows a stored cross‑site scripting flaw. When inappropriate content is stored by the plugin, it is later rendered in pages viewed by visitors, giving an attacker the ability to execute malicious scripts in the browsers of site users. This can lead to phishing, credential theft, or site defacement and compromises the confidentiality, integrity, and availability of content for site visitors. The vulnerability is a classic input validation issue catalogued as CWE‑79.

Affected Systems

WordPress installations that have installed the ABG Rich Pins plugin from the antoniobg vendor and are running version 1.1 or earlier are affected. The issue exists in all releases from the first public version up to and including 1.1; no sub‑version list is provided.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity. The EPSS score is less than 1 %, indicating a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, and no public exploits are documented. The likely attack vector requires a user with permission to add or edit content through the plugin’s interface, after which a malicious payload is stored and subsequently served to visitors.

Generated by OpenCVE AI on April 16, 2026 at 17:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ABG Rich Pins plugin to any version newer than 1.1, if available.
  • If an update is not immediately available, disable or uninstall the plugin to eliminate the risk until a patch can be applied.
  • Apply a site‑wide content sanitization policy or use a WordPress security plugin that escapes or strips disallowed script tags to reduce the impact of stored XSS.

Generated by OpenCVE AI on April 16, 2026 at 17:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in antoniobg ABG Rich Pins abg-rich-pins allows Stored XSS.This issue affects ABG Rich Pins: from n/a through <= 1.1.
Title WordPress ABG Rich Pins plugin <= 1.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:17.350Z

Reserved: 2026-01-23T12:31:51.716Z

Link: CVE-2026-24558

cve-icon Vulnrichment

Updated: 2026-01-23T21:06:09.701Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:13.043

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24558

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:00:11Z

Weaknesses