Description
Unauthenticated Cross Site Scripting (XSS) in Favicon Rotator <= 1.2.11 versions.
Published: 2026-06-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Cross Site Scripting is present in the WordPress Favicon Rotator plugin up to version 1.2.11. The flaw allows arbitrary attackers to inject and execute JavaScript in the context of the affected site. This can lead to theft of user session cookies, manipulation of page content, or delivery of phishing payloads, thereby compromising confidentiality, integrity, and potentially availability of user data.

Affected Systems

The vulnerability affects WordPress sites that employ the Archetyped Favicon Rotator plugin, version 1.2.11 or earlier. Upgrading to version 1.2.12 or later removes the flaw.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while an EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Because the attack does not require authentication, any visitor to the affected page could potentially be impacted if the vulnerability is triggered. The exact method to trigger the flaw is not described in the official description; based on similar XSS vectors it is inferred that an attacker might manipulate the plugin’s favicon URL or settings to inject script, but the precise exploit path remains unspecified by the vendor.

Generated by OpenCVE AI on June 18, 2026 at 03:23 UTC.

Remediation

Vendor Solution

Update the WordPress Favicon Rotator Plugin to the latest available version (at least 1.2.12).


OpenCVE Recommended Actions

  • Update the WordPress Favicon Rotator Plugin to version 1.2.12 or newer
  • If an immediate update is not possible, disable or uninstall the plugin to eliminate the attack surface
  • If the plugin must remain in use, configure the site to restrict unsanitized input that could be reflected in the favicon rotation setting

Generated by OpenCVE AI on June 18, 2026 at 03:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Archetyped
Archetyped favicon Rotator
Wordpress
Wordpress wordpress
Vendors & Products Archetyped
Archetyped favicon Rotator
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Favicon Rotator <= 1.2.11 versions.
Title WordPress Favicon Rotator plugin <= 1.2.11 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Archetyped Favicon Rotator
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:26:48.916Z

Reserved: 2026-04-29T09:04:43.153Z

Link: CVE-2026-42649

cve-icon Vulnrichment

Updated: 2026-06-16T01:26:43.352Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:54.713

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-42649

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:07:18Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')