How is CVE-2026-48885 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker can deliver a malicious payload to it without any local or physical access to the host. Authentication (not-required): No account or credentials are needed; the vulnerability is reachable by any unauthenticated user. Victim interaction (required): A victim must interact with attacker-controlled content, such as clicking a crafted link or visiting a page hosting the malicious payload, for the injected script to execute. Attack complexity (info): The exploit is reliable and condition-free; no race condition, memory layout dependency, or special environmental state is required for the attack to succeed.

What is the impact of CVE-2026-48885?

Injected JavaScript executes in the victim's browser under the origin of the WordPress site, allowing an attacker to read session cookies and authentication tokens. An attacker can perform actions on the victim's behalf inside the WordPress admin panel if the victim is a logged-in administrator, including creating accounts or modifying site content. The XSS payload can silently redirect the victim to attacker-controlled pages for phishing or further credential harvesting. The CVSS vector assigns low impact to availability (A:L), meaning the injected script can also disrupt or degrade the victim's current session or page state.

Back to search

HIGHCVE-2026-48885Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-48885: WordPress HollerBox plugin <= 2.3.10.1 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-48885?

A reflected or stored cross-site scripting (XSS) vulnerability exists in the HollerBox WordPress plugin at version 2.3.10.1 and earlier. The flaw is reachable over the network, requires no authentication, but does require a victim to interact with a crafted link or page, as indicated by the CVSS vector. Successful exploitation allows an attacker to inject and run arbitrary JavaScript in a victim's browser, enabling session hijacking, credential theft, or unauthorized actions performed on the victim's behalf. HarborGuard is currently tracking this advisory for patch availability, as no fix version has been published.

Q: Is CVE-2026-48885 patched?

Because no upstream fix has been published for this CVE, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment a remediated version of HollerBox is released. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads as soon as a fix version is confirmed upstream.

Unauthenticated Cross Site Scripting (XSS) in HollerBox <= 2.3.10.1 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A reflected or stored cross-site scripting (XSS) vulnerability exists in the HollerBox WordPress plugin at version 2.3.10.1 and earlier. The flaw is reachable over the network, requires no authentication, but does require a victim to interact with a crafted link or page, as indicated by the CVSS vector. Successful exploitation allows an attacker to inject and run arbitrary JavaScript in a victim's browser, enabling session hijacking, credential theft, or unauthorized actions performed on the victim's behalf. HarborGuard is currently tracking this advisory for patch availability, as no fix version has been published.

HarborGuard Coverage

Detection

Detection for CVE-2026-48885 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the HollerBox plugin. Any image containing HollerBox at or below version 2.3.10.1 will surface as affected.

Available

Triage

HarborGuard triage capability applies the CVSS v3.1 score of 7.1 (HIGH) to findings and can weight results further against each customer's per-environment compliance policy before routing alerts to the appropriate team inbox within the customer organization.

Available

Patch

Because no upstream fix has been published for this CVE, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment a remediated version of HollerBox is released. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads as soon as a fix version is confirmed upstream.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker can deliver a malicious payload to it without any local or physical access to the host.
AuthenticationNot required
No account or credentials are needed; the vulnerability is reachable by any unauthenticated user.
Victim interactionRequired
A victim must interact with attacker-controlled content, such as clicking a crafted link or visiting a page hosting the malicious payload, for the injected script to execute.
Attack complexityDetail
The exploit is reliable and condition-free; no race condition, memory layout dependency, or special environmental state is required for the attack to succeed.

Blast Radius

Injected JavaScript executes in the victim's browser under the origin of the WordPress site, allowing an attacker to read session cookies and authentication tokens.
An attacker can perform actions on the victim's behalf inside the WordPress admin panel if the victim is a logged-in administrator, including creating accounts or modifying site content.
The XSS payload can silently redirect the victim to attacker-controlled pages for phishing or further credential harvesting.
The CVSS vector assigns low impact to availability (A:L), meaning the injected script can also disrupt or degrade the victim's current session or page state.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is matched against all customer images containing the HollerBox plugin at or below version 2.3.10.1 as soon as the advisory is ingested. Because no upstream patch exists yet, HarborGuard monitors the Patchstack advisory and the Groundhogg/HollerBox release channel on every ingest cycle. Where compliance policy permits, customers can apply compensating controls in the interim: network-policy rules that restrict unauthenticated access to affected plugin endpoints, web-application firewall rules targeting XSS payloads in HollerBox request parameters, and feature-flag or plugin-deactivation options within WordPress administration. The moment a fixed version is published upstream, a patched-image rebuild will become available on HarborGuard; for customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically without manual intervention.

See how HarborGuard automates this

Affected packages

Groundhogg / HollerBox
≤ 2.3.10.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified