PatchSiren cyber security CVE debrief
CVE-2026-42649 Archetyped CVE debrief
CVE-2026-42649 is a HIGH-severity vulnerability with a CVSS score of 7.1. It is an Unauthenticated Cross Site Scripting (XSS) issue affecting Favicon Rotator versions up to and including 1.2.11. The vulnerability was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-42649) and last modified on [cveModifiedAt](https://nvd.nist.gov/vuln/detail/CVE-2026-42649).
- Vendor
- Archetyped
- Product
- Favicon Rotator
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of Favicon Rotator plugin for WordPress, version 1.2.11 or earlier, should prioritize patching this vulnerability to prevent potential XSS attacks.
Technical summary
The vulnerability is characterized as Unauthenticated Cross Site Scripting (XSS) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. It is associated with CWE-79.
Defensive priority
HIGH
Recommended defensive actions
- Apply patches or updates for Favicon Rotator plugin to version beyond 1.2.11.
- Review and restrict user input handling to prevent malicious scripts from being executed.
Evidence notes
Evidence suggests that this issue was identified and reported through Patchstack, as referenced in [ref-4](https://patchstack.com/database/wordpress/plugin/favicon-rotator/vulnerability/wordpress-favicon-rotator-plugin-1-2-11-cross-site-scripting-xss-vulnerability?_s_id=cve).
Official resources
-
CVE-2026-42649 CVE record
CVE.org
-
CVE-2026-42649 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-42649 was published on 2026-06-15T21:16:54.713Z and modified on 2026-06-15T21:24:32.790Z.