Impact
Unauthenticated Cross Site Scripting is present in the WordPress Favicon Rotator plugin up to version 1.2.11. The flaw allows arbitrary attackers to inject and execute JavaScript in the context of the affected site. This can lead to theft of user session cookies, manipulation of page content, or delivery of phishing payloads, thereby compromising confidentiality, integrity, and potentially availability of user data.
Affected Systems
The vulnerability affects WordPress sites that employ the Archetyped Favicon Rotator plugin, version 1.2.11 or earlier. Upgrading to version 1.2.12 or later removes the flaw.
Risk and Exploitability
The CVSS score of 7.1 indicates a high severity, while an EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Because the attack does not require authentication, any visitor to the affected page could potentially be impacted if the vulnerability is triggered. The exact method to trigger the flaw is not described in the official description; based on similar XSS vectors it is inferred that an attacker might manipulate the plugin’s favicon URL or settings to inject script, but the precise exploit path remains unspecified by the vendor.
OpenCVE Enrichment