Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jgwhite33 WP TripAdvisor Review Slider wp-tripadvisor-review-slider allows Stored XSS.This issue affects WP TripAdvisor Review Slider: from n/a through <= 14.1.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Immediate Patch
AI Analysis

Impact

This vulnerability arises from an improper neutralization of user input in the WP TripAdvisor Review Slider plugin, allowing malicious JavaScript to be stored in the database and rendered in web pages for all site visitors. The stored XSS can result in session hijacking, credential theft, defacement, or other malicious activity executed in the context of a legitimate user’s browser, compromising confidentiality, integrity, and availability of the site’s content.

Affected Systems

WordPress installations that have the jgwhite33 WP TripAdvisor Review Slider plugin installed in any version up to and including 14.1 are affected. Sites that rely on the plugin to display user reviews or ratings without upgrading past 14.1 expose themselves to this risk.

Risk and Exploitability

The CVSS score of 6.5 reflects moderate severity. Exploitation requires the ability to submit or edit review content that the plugin stores. Based on the description, it is inferred that attackers could exploit the plugin by accessing the review submission or editing interfaces to inject JavaScript. The lack of an EPSS score and absence from the KEV catalog suggest that active exploitation is not yet documented, but the vulnerability remains a realistic threat to sites that publicly display reviews and may have users with contributor or administrative privileges.

Generated by OpenCVE AI on March 25, 2026 at 23:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP TripAdvisor Review Slider plugin to version 14.2 or later. If an upgrade is not immediately feasible, disable the plugin until a fix is applied. Verify that all user‑generated content is properly sanitized before storage or rendering. Monitor site logs for unusual input patterns or repeated attempts to inject markup.

Generated by OpenCVE AI on March 25, 2026 at 23:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ljapps
Ljapps wp Tripadvisor Review Slider
Wordpress
Wordpress wordpress
Vendors & Products Ljapps
Ljapps wp Tripadvisor Review Slider
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jgwhite33 WP TripAdvisor Review Slider wp-tripadvisor-review-slider allows Stored XSS.This issue affects WP TripAdvisor Review Slider: from n/a through <= 14.1.
Title WordPress WP TripAdvisor Review Slider plugin <= 14.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Ljapps Wp Tripadvisor Review Slider
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T20:23:35.469Z

Reserved: 2026-03-12T11:12:00.510Z

Link: CVE-2026-32490

cve-icon Vulnrichment

Updated: 2026-03-25T20:22:53.516Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:17:00.533

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32490

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:33Z

Weaknesses