PatchSiren cyber security CVE debrief
CVE-2026-6864 manchumahara CVE debrief
CVE-2026-6864 is a reflected cross-site scripting issue in the CBX 5 Star Rating & Review WordPress plugin. The flaw is triggered through the page parameter and affects all versions up to and including 1.0.7. Because the attack is unauthenticated but requires an administrator to interact with a crafted link, the practical risk is strongest for WordPress sites where admins access plugin pages or review links from untrusted sources. The impact is consistent with the reported CVSS 3.1 score of 6.1 (medium).
- Vendor
- manchumahara
- Product
- CBX 5 Star Rating & Review
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-22
- Original CVE updated
- 2026-05-22
- Advisory published
- 2026-05-22
- Advisory updated
- 2026-05-22
Who should care
WordPress site owners, plugin administrators, managed hosting teams, and security responders responsible for sites using CBX 5 Star Rating & Review versions 1.0.7 or earlier. Administrators are the primary target because exploitation depends on their interaction with a malicious link.
Technical summary
According to the NVD record and Wordfence-referenced source files, the plugin fails to sufficiently sanitize input and escape output in the page parameter. That allows reflected XSS on affected admin-facing pages. The vulnerability is unauthenticated, but successful exploitation requires user interaction (for example, an administrator clicking a crafted URL). The source references include vulnerable 1.0.7 templates and corresponding 1.0.8 templates, indicating remediation in a later release.
Defensive priority
Medium. The issue is easy to reach over the network and needs no authentication, but it depends on administrator interaction and is limited to client-side script execution rather than direct code execution.
Recommended defensive actions
- Update CBX 5 Star Rating & Review to a version later than 1.0.7 as soon as possible.
- Verify the installed plugin version across all WordPress instances, including staging and multisite environments.
- Review admin workflows for links coming from email, tickets, or external messages and treat them as untrusted until validated.
- Consider temporarily restricting access to plugin admin pages to trusted users only while updates are being deployed.
- Check for unexpected script activity or browser-based anomalies in administrative sessions after exposure.
- If you maintain detection controls, monitor for requests containing crafted page parameter values targeting the plugin pages.
Evidence notes
The CVE description supplied here states that the issue is reflected XSS via the page parameter, affects versions up to and including 1.0.7, and requires an administrator to click a malicious link. The NVD metadata lists CWE-79 and the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, which matches a network-reachable, user-interaction-dependent XSS. Wordfence-linked references point to vulnerable 1.0.7 template files and corresponding 1.0.8 files, supporting the version boundary and remediation context. Vendor identification is weak in the supplied corpus, so the debrief uses the plugin/product name from the vulnerability title and source references rather than asserting a stronger vendor mapping.
Official resources
Publicly disclosed on 2026-05-22 in the supplied CVE/NVD record set, with the NVD record and linked Wordfence advisory providing the initial public technical details.