Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Manoj Kumar MK Google Directions google-distance-calculator allows DOM-Based XSS.This issue affects MK Google Directions: from n/a through <= 3.1.1.
Published: 2026-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (DOM‑Based XSS)
Action: Patch Immediately
AI Analysis

Impact

The flaw is a DOM-based Cross‑Site Scripting (XSS) vulnerability that enables an attacker to inject arbitrary client‑side scripts into pages rendered by the MK Google Directions plugin. Because the plugin fails to properly neutralize user input, malicious code can execute in the victim’s browser, potentially leading to credential theft, session hijacking, defacement or other client‑side attacks. The weakness is a classic XSS issue, classified as CWE-79.

Affected Systems

The vulnerability affects the Manoj Kumar MK Google Directions WordPress plugin for all releases up to and including version 3.1.1. No data exist for versions beyond that boundary, so site owners using any of these releases remain exposed until an updated version is applied.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The flaw is not listed in CISA’s Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the likely attack vector involves a victim visiting a page containing crafted plugin input or a malicious link; no server-side compromise or special privileges are required, making the risk primarily to site visitors who load the vulnerable plugin.

Generated by OpenCVE AI on April 8, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MK Google Directions plugin to any version newer than 3.1.1
  • If an update is not available, disable or uninstall the plugin
  • Verify that no remnants of older plugin versions remain on the site
  • Monitor vendor advisories for future updates

Generated by OpenCVE AI on April 8, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Manoj Kumar
Manoj Kumar mk Google Directions
Wordpress
Wordpress wordpress
Vendors & Products Manoj Kumar
Manoj Kumar mk Google Directions
Wordpress
Wordpress wordpress
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Manoj Kumar MK Google Directions google-distance-calculator allows DOM-Based XSS.This issue affects MK Google Directions: from n/a through <= 3.1.1.
Title WordPress MK Google Directions plugin <= 3.1.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Manoj Kumar Mk Google Directions
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:04.007Z

Reserved: 2026-04-07T10:58:05.154Z

Link: CVE-2026-39674

cve-icon Vulnrichment

Updated: 2026-04-08T18:52:49.910Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:38.957

Modified: 2026-04-24T18:06:04.160

Link: CVE-2026-39674

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:28:08Z

Weaknesses