Stored Cross-Site Scripting Vulnerability in Editorial Rating Plugin for WordPress
CVE-2026-12560

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Editorial Rating – Product Review & Rating System
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-12560?

The Editorial Rating – Product Review & Rating System plugin for WordPress introduces a serious Stored Cross-Site Scripting vulnerability due to inadequate input sanitization and output escaping in the 'Link URL' field. This flaw allows authenticated attackers with administrator privileges to inject malicious web scripts that execute when any user accesses the compromised page. Notably, the standard WordPress restriction associated with the unfiltered_html capability does not apply, as the attack payload is stored in post meta rather than the content areas typically governed by this restriction. This poses a significant risk to site integrity and user security.

Affected Version(s)

Editorial Rating – Product Review & Rating System 0 <= 4.0.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/editorial-rati...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 17, 2026

Credit

Supoj Polsawas (sp0x5ec)

CVE-2026-12560 Data

JSON