Editorial Rating – Product Review & Rating System Vulnerability (CVE-2026-12560)

On this page

Security Alert Summary

The Editorial Rating – Product Review & Rating System plugin for WordPress is affected by a stored Cross-Site Scripting (XSS) vulnerability in the Link URL field in all versions up to and including 4.0.5. Authenticated attackers with administrator-level access can store script payloads in post meta so that the script runs whenever a user views the affected page. The issue is caused by insufficient input sanitization and output escaping for data stored outside of post_content or post_excerpt.

CVE Details

  • CVE ID: CVE-2026-12560
  • Affected component: Editorial Rating – Product Review & Rating System plugin for WordPress
  • Affected versions: All versions up to and including 4.0.5
  • Published: June 30, 2026 at 6:16:27 AM UTC
  • Last modified: June 30, 2026 at 2:08:13 PM UTC
  • CVSS v3.1: Base score 4.4 (MEDIUM) — CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: Requires authenticated attacker with high privileges (administrator-level). No user interaction required (UI:N).
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation)

Technical Details

The plugin fails to properly sanitize and escape input provided in the Link URL field. The payload is stored in post meta under the meta key _wpas_er_options via update_post_meta, rather than being stored in post_content or post_excerpt. Because the data is saved in post meta and later rendered without adequate escaping, an authenticated user with administrator-level privileges can inject arbitrary web scripts that will be stored and executed when a page containing the injected meta is displayed to any user who views it.

The WordPress unfiltered_html capability exemption does not prevent this issue, since that exemption applies to content stored in post fields and not to post meta. As a result, administrators are affected regardless of their unfiltered_html status. The vulnerability exists due to insufficient input sanitization on input and missing output escaping where the meta is rendered.

How This Could Impact Your Website

On a multi-user WordPress site, the site owner or administrator might allow internal staff or external contractors to add or edit product reviews. An attacker with administrator-level access could insert a script into the Link URL field of a review. When other users or site managers view the affected pages, the script could run in their browsers. Practical consequences include exposure of session information accessible to the browser context, leakage of data presented on the page, or enabling targeted actions against users.

This can increase the risk of targeted phishing or social engineering, and it may expose internal user information such as displayed email addresses or profile data if that information is available on the rendered pages. If you're unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially administrator and contributor roles.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from the site.
  • Monitor site activity and logs for unusual behavior or unexpected changes to posts and post meta.

If you'd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References