Attack Vectors

CVE-2026-24555 is a Medium-severity Stored Cross-Site Scripting (XSS) issue affecting the ArtPlacer Widget WordPress plugin (slug: artplacer-widget) in versions up to and including 2.23.2.

The vulnerability can be exploited by an authenticated user with Contributor-level access (or higher). In practical terms, this means the risk is highest on sites where multiple internal users, agencies, freelancers, or partners have login access to publish or submit content.

Because this is a stored XSS, the malicious script can be saved into site content and then executed later whenever any visitor or staff member loads the affected page. This is particularly relevant for marketing and campaign landing pages, blog content workflows, and any content area contributors can edit.

Security Weakness

The underlying weakness is insufficient input sanitization and output escaping in ArtPlacer Widget versions up to 2.23.2. This can allow untrusted content to be stored and later rendered in a way that the browser interprets as executable script.

The vulnerability is rated CVSS 6.4 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating it can be triggered remotely over the network, requires low attack complexity, and only requires a logged-in contributor-level account—without needing additional user interaction.

Technical or Business Impacts

Stored XSS in a customer-facing WordPress site can create direct business risk, including:

Brand and campaign damage: injected scripts can alter page content, redirect traffic, or display unauthorized messages—undermining trust in active marketing campaigns and landing pages.

Account and session exposure: scripts may be used to steal session data or perform actions in a logged-in user’s browser context, potentially escalating impact if an editor, administrator, or marketing operations user views the compromised page.

Compliance and customer trust impacts: unauthorized script execution on public pages can trigger privacy and compliance concerns, especially if it affects customer interactions or tracking on high-visibility pages.

Operational disruption: incident response, content audits, and stakeholder communications can consume marketing and leadership time, delay launches, and increase external support costs.

Remediation: Update ArtPlacer Widget to version 2.23.3 or newer (patched). Reference: Wordfence vulnerability report. CVE record: CVE-2026-24555.

Similar Attacks

Stored XSS has been a recurring issue across WordPress plugins and can have outsized business impact because it executes in real users’ browsers. Examples of real, publicly tracked cases include:

Elementor (Wordfence): Stored XSS vulnerability patched

Contact Form 7 (WPScan): XSS vulnerability entry (example)

WordPress 4.7.1 security release: content injection/XSS-related fixes