CVE-2026-42649: WordPress Favicon Rotator plugin <= 1.2.11 - Cross Site Scripting (XSS) vulnerability

Synopsis

A reflected or stored cross-site scripting (XSS) vulnerability affects the Favicon Rotator WordPress plugin at version 1.2.11 and earlier. The flaw is reachable over the network without any authentication, but requires a victim to interact with a malicious link or page. Successful exploitation allows an attacker to inject and execute arbitrary JavaScript in the victim's browser, enabling session hijacking, page content manipulation, or redirection to attacker-controlled destinations. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.

• AuthenticationNot required

  No account or session is needed; the attacker can send malicious input as an unauthenticated user.

• Victim interactionRequired

  A victim must follow a crafted link or visit a page that delivers the malicious payload, making a social-engineering step necessary.

• Attack complexityDetail

  Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental preconditions to execute.

Blast Radius

• Attacker executes arbitrary JavaScript in the victim's browser session, allowing theft of session cookies or authentication tokens.
• Attacker modifies the visible content of the WordPress page as rendered in the victim's browser, enabling phishing or defacement from the victim's perspective.
• Attacker redirects the victim to an external, attacker-controlled site without further interaction.
• With the scope change (S:C) noted in the CVSS vector, injected script can affect browser contexts beyond the originating page, such as iframes or same-site resources.