Rent Fetch Vulnerability (High) – CVE-2026-1931

Rent Fetch Vulnerability (High) – CVE-2026-1931

by | Feb 17, 2026 | Plugins

Attack Vectors

Rent Fetch (WordPress plugin slug: rentfetch) versions 0.32.4 and below are affected by a High-severity vulnerability (CVSS 7.2, CVE-2026-1931) that enables unauthenticated stored cross-site scripting (XSS) via the ‘keyword’ parameter.

Because no login is required, an attacker can submit a crafted value through any plugin feature or page workflow that accepts the ‘keyword’ parameter. The malicious script can then be stored and later executed when staff or customers load the affected page, turning everyday site visits into a delivery mechanism for attacker-controlled content.

Security Weakness

The root cause is insufficient input sanitization and output escaping for user-supplied attributes associated with the ‘keyword’ parameter in Rent Fetch. In practical terms, the plugin fails to adequately clean untrusted input before saving it and/or fails to safely display it back to visitors.

This combination is what makes the issue stored XSS (persisting in the site’s content or data) and also explains why it is especially risky: the injected script can run repeatedly for every future visitor to an injected page.

Technical or Business Impacts

Business risk: A stored XSS event can damage trust quickly—visitors may see unexpected pop-ups, redirects, or altered page content. For marketing teams, this can directly impact conversion rates, paid campaign performance, and brand perception.

Operational and compliance risk: If an attacker uses injected scripts to interfere with customer sessions or capture information displayed in the browser, it can increase incident response costs and create potential reporting obligations depending on what data is exposed. Even without confirmed data loss, investigation, downtime, and stakeholder communications can be costly for leadership teams and compliance departments.

Recommended action: Update Rent Fetch to version 0.32.7 or newer, which contains the patch. Track the official record for reference: CVE-2026-1931. Vulnerability source: Wordfence advisory.

Similar Attacks

Stored and reflected XSS flaws in WordPress plugins have been repeatedly used to alter site content, redirect traffic, or run scripts in visitors’ browsers. Examples include:

Elementor Pro XSS vulnerability (Wordfence)

WordPress plugin vulnerability campaign coverage (Wordfence)

Vantage Vulnerability (Medium) – CVE-2026-5070

by

Attack Vectors CVE-2026-5070 is a Medium severity vulnerability (CVSS 6.4) affecting the Vantage WordPress theme (slug: vantage) in versions up to and including 1.20.32. It enables authenticated users with Contributor access or higher to inject malicious script into a...

WP Docs Vulnerability (Medium) – CVE-2026-3878

by

Attack Vectors CVE-2026-3878 is a Medium severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 6.4) affecting the WP Docs WordPress plugin (wp-docs) in versions 2.2.9 and below. The issue is exploitable by an authenticated user with Subscriber-level access or...

Recent Comments

    WPFore Subscribers