Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 WPCS currency-switcher allows DOM-Based XSS.This issue affects WPCS: from n/a through <= 1.3.1.
Published: 2026-05-27
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation allows a DOM‑based XSS vulnerability in the RealMag777 WPCS currency‑switcher plugin. Based on the description, it is inferred that an attacker can inject arbitrary JavaScript through unfiltered user input such as URL parameters or form data, which then executes in the victim’s browser. This can compromise the confidentiality, integrity, or availability of user sessions by enabling cookie theft, session hijacking, or site defacement.

Affected Systems

The vulnerability affects the WordPress WPCS currency‑switcher plugin from earliest known versions up to and including 1.3.1. All WordPress sites that have not updated this plugin beyond 1.3.1 are potentially exposed.

Risk and Exploitability

The CVSS score of 7.1 classifies the issue as high severity. Although no EPSS score is provided and the vulnerability is not listed in the CISA KEV catalog, it is inferred that exploitation may require only a crafted URL or form submission by a malicious actor. If an attacker succeeds, the impact could range from mild defacement to full session compromise for each visitor who follows the malicious link.

Generated by OpenCVE AI on May 27, 2026 at 11:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPCS currency‑switcher plugin to any version newer than 1.3.1, ensuring that the latest fix is applied.
  • Enforce strict input sanitization on all plugin entry points, especially URL parameters and form fields, to remove or encode potentially malicious scripts.
  • Deploy a Web Application Firewall rule set that detects and blocks common XSS payload patterns directed at the plugin’s input points.

Generated by OpenCVE AI on May 27, 2026 at 11:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 WPCS currency-switcher allows DOM-Based XSS.This issue affects WPCS: from n/a through <= 1.3.1.
Title WordPress WPCS plugin <= 1.3.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:53:22.046Z

Reserved: 2026-04-29T09:05:25.570Z

Link: CVE-2026-42733

cve-icon Vulnrichment

Updated: 2026-05-27T10:53:16.986Z

cve-icon NVD

Status : Received

Published: 2026-05-27T11:16:19.877

Modified: 2026-05-27T11:16:19.877

Link: CVE-2026-42733

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T12:00:32Z

Weaknesses