WWordPress Vulnerability Database

Community Security Advisory Review Map Plugin XSS(CVE20264161)

Cross Site Scripting (XSS) in WordPress Review Map by RevuKangaroo Plugin
0
Shares
0
0
0
0
Plugin Name Review Map by RevuKangaroo
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2026-4161
Urgency Low
CVE Publish Date 2026-03-23
Source URL CVE-2026-4161

Authenticated Administrator Stored XSS in “Review Map by RevuKangaroo” (≤ 1.7): Risk, Detection, and Practical Mitigation for WordPress Site Owners

Author: Hong Kong Security Expert

Published: 2026-03-23

A recently disclosed vulnerability (CVE-2026-4161) affects the WordPress plugin “Review Map by RevuKangaroo” version 1.7 and earlier. It is a stored Cross‑Site Scripting (XSS) issue in the plugin’s settings that requires an authenticated administrator to store the malicious payload. Stored XSS in admin‑accessible settings is not merely academic — it can enable session theft, privilege abuse, and full site compromise when chained with other weaknesses.

What was disclosed (summary)

  • A stored Cross‑Site Scripting (XSS) vulnerability was reported in the plugin “Review Map by RevuKangaroo” for WordPress, affecting versions up to and including 1.7.
  • The vulnerability is classified as stored XSS and has been assigned CVE‑2026‑4161.
  • Required privilege: an authenticated Administrator (the attack requires an administrator role to be able to store the malicious payload into plugin settings).
  • Exploit prerequisite: an administrator must be induced to perform an action — for example, visiting a crafted URL or clicking a link that leads to the plugin saving attacker‑controlled markup.
  • Official patch: at the time of this advisory there may be no official patched release available from the plugin author; check the plugin repository and vendor advisories for updates.
  • CVSS: reported score 5.9 (moderate) — the admin‑interaction requirement reduces large‑scale exploitability but does not eliminate real risk.

Why this matters (real‑world impact)

Stored XSS in plugin settings is particularly dangerous for several pragmatic reasons:

  • The malicious script is persisted on the site (in options or settings). It executes every time the affected admin page or front‑end output is rendered.
  • When executed in an admin context, the script can perform privileged actions: steal session cookies, invoke administrative APIs, create users, change configuration, or export data.
  • If the same stored value is shown on the public site, visitors can be affected — enabling drive‑by attacks, SEO spam, or redirect chains.
  • Even though exploitation requires targeting an admin, social engineering and phishing are effective; experienced operators can be tricked.

How the vulnerability is exploited (technical vector)

At a technical level the chain looks like this:

  1. The plugin exposes a settings form (on a wp‑admin page) that stores values, commonly via update_option/register_setting.
  2. Input from that form is saved without proper sanitization, allowing HTML/JavaScript to persist in the database.
  3. Later, when the plugin outputs the stored value into HTML, JavaScript, or attributes, it fails to escape for the correct context and the browser executes the attacker payload.
  4. A malicious payload stored this way executes in the security context of the viewing user — in many cases administrators — enabling actions as the admin or exfiltration of secrets.

Common insecure patterns to watch for:

  • register_setting or update_option calls with no sanitize_callback.
  • Echoing option values directly (e.g., echo $value;) without esc_html/esc_attr/esc_js.
  • Injecting option values directly into inline