{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32360", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:10:53.773Z", "datePublished": "2026-03-13T11:42:04.382Z", "dateUpdated": "2026-04-29T09:51:57.858Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "widget-google-reviews", "product": "Rich Showcase for Google Reviews", "vendor": "richplugins", "versions": [{"changes": [{"at": "6.9.4.4", "status": "unaffected"}], "lessThanOrEqual": "6.9.4.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:48.014Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in richplugins Rich Showcase for Google Reviews widget-google-reviews allows Stored XSS.<p>This issue affects Rich Showcase for Google Reviews: from n/a through <= 6.9.4.3.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in richplugins Rich Showcase for Google Reviews widget-google-reviews allows Stored XSS.This issue affects Rich Showcase for Google Reviews: from n/a through <= 6.9.4.3."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.858Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/widget-google-reviews/vulnerability/wordpress-rich-showcase-for-google-reviews-plugin-6-9-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Rich Showcase for Google Reviews plugin <= 6.9.4.3 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T19:00:13.036968Z", "id": "CVE-2026-32360", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T19:00:28.401Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32360", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T19:00:13.036968Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T19:00:25.014Z"}}], "cna": {"title": "WordPress Rich Showcase for Google Reviews plugin <= 6.9.4.3 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "affected": [{"vendor": "richplugins", "product": "Rich Showcase for Google Reviews", "versions": [{"status": "affected", "changes": [{"at": "6.9.4.4", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 6.9.4.3"}], "packageName": "widget-google-reviews", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-13T12:41:27.003Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/widget-google-reviews/vulnerability/wordpress-rich-showcase-for-google-reviews-plugin-6-9-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in richplugins Rich Showcase for Google Reviews widget-google-reviews allows Stored XSS.This issue affects Rich Showcase for Google Reviews: from n/a through <= 6.9.4.3.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in richplugins Rich Showcase for Google Reviews widget-google-reviews allows Stored XSS.<p>This issue affects Rich Showcase for Google Reviews: from n/a through <= 6.9.4.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-13T11:42:04.382Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32360", "state": "PUBLISHED", "dateUpdated": "2026-03-13T19:00:28.401Z", "dateReserved": "2026-03-12T11:10:53.773Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:04.382Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in richplugins Rich Showcase for Google Reviews widget-google-reviews allows Stored XSS.This issue affects Rich Showcase for Google Reviews: from n/a through <= 6.9.4.3."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en richplugins Rich Showcase for Google Reviews widget-google-reviews permite XSS Almacenado. Este problema afecta a Rich Showcase for Google Reviews: desde n/a hasta &lt;= 6.9.4.3."}], "id": "CVE-2026-32360", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:54:49.797", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/widget-google-reviews/vulnerability/wordpress-rich-showcase-for-google-reviews-plugin-6-9-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.9.4.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Rich Showcase for Google Reviews", "source": "cna", "vendor": "richplugins"}, "product": "rich_showcase_for_google_reviews", "vendor": "richplugins"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T15:49:30.666300+00:00", "value": {"mitigation_remediation": ["Update Rich Showcase for Google Reviews to a version newer than 6.9.4.3", "If an update cannot be applied immediately, disable or uninstall the plugin to eliminate the risk"], "summary": {"action": "Update plugin", "impact": "Stored cross-site scripting"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress Rich Showcase for Google Reviews widget-google-reviews, all releases from the earliest available version up to and including 6.9.4.3. The vendor listed is richplugins:Rich Showcase for Google Reviews.", "description_and_impact": "The vulnerability is an improper neutralization of input during web page generation (cross\u2011site scripting). Key detail from official description: it allows stored XSS in the Rich Showcase for Google Reviews plugin. The flaw permits malicious scripts to be stored and subsequently served to site visitors.", "risk_and_exploitability": "The CVSS base score is 5.9, indicating medium severity. EPSS is below 1%, suggesting a low probability of exploitation. This vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires submission or modification of content that is stored by the plugin and later rendered, but no explicit attack path or real\u2011world impact is documented."}}}}, "created": "2026-03-16T09:34:47.328454+00:00", "updated": "2026-03-23T09:58:57.223364+00:00", "vendors": ["richplugins", "richplugins$PRODUCT$rich_showcase_for_google_reviews", "wordpress", "wordpress$PRODUCT$wordpress"]}