Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Manoj Kumar MK Google Directions google-distance-calculator allows DOM-Based XSS.This issue affects MK Google Directions: from n/a through <= 3.1.1.
Published: 2026-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Patch Immediately
AI Analysis

Impact

Improper neutralization of input during web page generation allows a DOM‑based cross‑site scripting flaw in the Manoj Kumar MK Google Directions WordPress plugin. The flaw causes untrusted data supplied to the plugin to be rendered directly as JavaScript in the visitor’s browser, enabling arbitrary code execution in the site visitor’s context. This can lead to session hijacking, defacement, or malicious redirects. The weakness is a reflected XSS failure, classified as CWE‑79.

Affected Systems

The vulnerability affects the MK Google Directions plugin for WordPress, developed by Manoj Kumar. All released versions from the initial release through version 3.1.1 are impacted; no later versions are mentioned in the advisory.

Risk and Exploitability

No CVSS score or EPSS value is published for this issue, but XSS vulnerabilities generally pose a moderate to high risk for confidentiality and integrity due to potential code execution in users’ browsers. The CVE is not listed in the CISA KEV catalog, indicating that widespread exploitation has not been documented. Based on the description, it is inferred that exploitation requires a victim to interact with crafted input—such as visiting a specially constructed URL or entering manipulated data—since the flaw is client‑side and depends on the plugin processing user‑supplied content.

Generated by OpenCVE AI on April 8, 2026 at 10:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MK Google Directions plugin to the latest available version, which removes the XSS flaw.
  • If an upgrade cannot be performed immediately, deactivate or delete the plugin to eliminate the attack surface until a patch is installed.
  • Verify other WordPress plugins for similar vulnerabilities and keep the core platform updated to reduce overall risk.

Generated by OpenCVE AI on April 8, 2026 at 10:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Manoj Kumar
Manoj Kumar mk Google Directions
Wordpress
Wordpress wordpress
Vendors & Products Manoj Kumar
Manoj Kumar mk Google Directions
Wordpress
Wordpress wordpress
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Manoj Kumar MK Google Directions google-distance-calculator allows DOM-Based XSS.This issue affects MK Google Directions: from n/a through <= 3.1.1.
Title WordPress MK Google Directions plugin <= 3.1.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Manoj Kumar Mk Google Directions
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T18:59:00.562Z

Reserved: 2026-04-07T10:58:05.154Z

Link: CVE-2026-39674

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:38.957

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39674

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:41:01Z

Weaknesses