Cross-Site Scripting Vulnerability in Favicon by RealFaviconGenerator Product
CVE-2026-42754

7.1HIGH

Key Information:

Vendor: WordPress
Status: Favicon
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-42754?

The Favicon by RealFaviconGenerator plugin for WordPress is susceptible to a Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This reflected XSS issue can be exploited by attackers to inject malicious scripts into web pages, compromising the security of the sites that utilize this plugin. It is crucial for users to review and update their installations to mitigate this vulnerability.

Affected Version(s)

Favicon 0 <= 1.3.46

References

https://patchstack.com/database/Wordpress/Plugin/favicon-...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

dodoh4t | Patchstack Bug Bounty Program

CVE-2026-42754 Data

JSON