Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP Image Widget image-widget allows Stored XSS.This issue affects Image Widget: from n/a through <= 4.4.11.
Published: 2026-04-29
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored XSS flaw that occurs when user input is not properly neutralized during page generation by the Image Widget plugin. Malicious code injected into the widget can be executed in the browsers of all visitors who view the affected page. Based on the description, the attacker could potentially steal credentials, deface the site, or execute further attacks in the context of the site.

Affected Systems

WordPress sites that have the StellarWP Image Widget plugin installed, specifically versions up through 4.4.11. The vulnerability applies to all releases in that range and to any installation that uses the same code base prior to the fix.

Risk and Exploitability

The CVSS v3.1 score of 5.9 indicates a medium severity. The EPSS score is below 1%, indicating a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Likely attack vectors include any user who can supply input to the widget interface—most commonly an authenticated administrator or author—after which the malicious script is persisted and executed for all visitors of any page displaying the widget.

Generated by OpenCVE AI on April 30, 2026 at 04:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch by upgrading the plugin to version 4.4.12 or later
  • Disable the Image Widget feature entirely or remove the plugin if it is not required for site functionality
  • Configure a web application firewall rule to detect and block XSS payloads submitted via the widget’s input interface

Generated by OpenCVE AI on April 30, 2026 at 04:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Stellarwp
Stellarwp image Widget
Wordpress
Wordpress wordpress
Vendors & Products Stellarwp
Stellarwp image Widget
Wordpress
Wordpress wordpress

Wed, 29 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP Image Widget image-widget allows Stored XSS.This issue affects Image Widget: from n/a through <= 4.4.11.
Title WordPress Image Widget plugin <= 4.4.11 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Stellarwp Image Widget
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T12:11:38.887Z

Reserved: 2026-04-29T09:04:31.204Z

Link: CVE-2026-42643

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-29T12:16:19.523

Modified: 2026-04-29T21:15:41.667

Link: CVE-2026-42643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T04:15:26Z

Weaknesses