Security Alert Summary
The Rent Fetch plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability via the keyword parameter in all versions up to and including 0.32.4. Insufficient input sanitization and output escaping on user-supplied attributes can allow an unauthenticated attacker to inject scripts that execute when a user views an affected page.
CVE Details
- CVE ID: CVE-2026-1931
- Affected plugin / component: Rent Fetch plugin for WordPress
- Affected versions: All versions up to, and including, 0.32.4
- Published date: February 18, 2026 at 5:16:28 AM
- Last modified date: February 18, 2026 at 5:16:28 AM
- CVSS v3.1: Base Score 7.2, Severity: HIGH; Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N - Authentication / privileges / user interaction: Authentication not required; Privileges required: None; User interaction: None
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- CWE / weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e., Cross-site Scripting)
Technical Details
The vulnerability is a stored cross-site scripting (XSS) issue stemming from insufficient input sanitization and output escaping for the keyword parameter. Because user-supplied attributes are not properly sanitized or escaped before being persisted and rendered, an attacker can inject arbitrary web scripts that are stored on the site and executed when a victim loads the affected page.
The CVE description specifically identifies the keyword parameter as the vector. The vulnerability allows unauthenticated attackers to place script content that will execute in the context of users viewing the injected pages. The impact is limited to the confidentiality and integrity of data accessible to the rendered page (for example, data exposed to the attacker-controlled script); availability impact is not indicated.
How This Could Impact Your Website
Consider a small organization that uses Rent Fetch and has multiple accounts: a site owner, internal editors, and an external contractor who helps publish listings. An unauthenticated attacker could inject script into a listing via the keyword parameter. When an editor or contractor opens the listing in the admin or on the public site, the injected script could run in their browser. Practical consequences include disclosure of data available to the page (such as user-visible email addresses), unauthorized modification of displayed content, or the use of the page to phish site users by showing attacker-controlled prompts.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor accounts and other low-privilege publishing roles.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior, unexpected content changes, or unfamiliar saved items that could contain injected scripts.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://github.com/BrindleDigital/rentfetch/commit/3c7162b24a8be5e5399c1a5bbaf0b949127aca75
- https://plugins.trac.wordpress.org/browser/rentfetch/tags/0.32.4/lib/admin/options-sections/options-general-section.php#L225
- https://plugins.trac.wordpress.org/browser/rentfetch/trunk/lib/admin/options-sections/options-general-section.php#L225
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3458366%40rentfetch&new=3458366%40rentfetch&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3fffdda5-91ed-4b79-bc04-77a1c44e3b67?source=cve
