PatchSiren cyber security CVE debrief
CVE-2026-11591 trustindex CVE debrief
The CVE record for CVE-2026-11591 was published on 2026-07-11T07:16:45.073Z and has not been modified since then. The NVD entry is currently . This vulnerability affects the Widgets for Google Reviews plugin for WordPress, specifically versions up to and including 13.3. The vulnerability is due to insufficient input sanitization and output escaping, allowing authenticated attackers with editor-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability only affects multi-site installations and installations where unfiltered_html has been disabled.
- Vendor
- trustindex
- Product
- Widgets for Google Reviews
- CVSS
- MEDIUM 4.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Administrators of WordPress installations using the Widgets for Google Reviews plugin, especially those with multi-site installations or where unfiltered_html has been disabled, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
CVE-2026-11591 is a Stored Cross-Site Scripting vulnerability in the Widgets for Google Reviews plugin for WordPress. The vulnerability exists due to insufficient input sanitization and output escaping in the plugin's admin settings. This allows authenticated attackers with editor-level permissions and above to inject arbitrary web scripts into pages, which will execute when a user accesses the injected page. The vulnerability has a CVSS score of 4.4 and a CVSS severity of MEDIUM.
Defensive priority
Medium priority should be given to patching this vulnerability, especially in multi-site installations or where unfiltered_html has been disabled.
Recommended defensive actions
- Apply the latest patch for the Widgets for Google Reviews plugin (version 13.3 or later) to prevent exploitation of this vulnerability.
- Review and update the plugin to ensure that input sanitization and output escaping are properly implemented.
- Limit permissions to prevent authenticated attackers from injecting arbitrary web scripts.
- Monitor for suspicious activity and implement compensating controls to detect potential exploitation attempts.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
Evidence notes
The CVE record and NVD entry provide details on the vulnerability, including its description, CVSS score, and affected versions. The source item URL provides additional information on the vulnerability, including references to the plugin's code and details on the vulnerability from [email protected].
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:45.073Z and has not been modified since then.