CVE-2026-13015
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
The Wp Google Places Review Slider plugin for WordPress up to version 18.1 is vulnerable to Reflected Cross-Site Scripting via the 'place' parameter. Insufficient input sanitization and output escaping in admin/partials/googlecrawl_dfs.php allow unauthenticated attackers to inject arbitrary scripts that execute when a user clicks a crafted link.
Risk Assessment
The risk involves potential execution of malicious scripts in the browser of an administrator or user, which could lead to session theft, account takeover, or further compromise of the website.
Recommendation
Immediately update the Wp Google Places Review Slider plugin to the latest available version that fixes this vulnerability. If no update is available, temporarily disable the plugin.
Original NVD description (English source)
The Wp Google Places Review Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'place' parameter in versions up to, and including, 18.1. This is due to insufficient input sanitization and output escaping in admin/partials/googlecrawl_dfs.php, where the $_GET['place'] value is URL-decoded, stripslashes()'d, and echoed directly into an HTML value attribute with no esc_attr() call when the supplied place is not already a stored key in the wprev_google_crawls option. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a specially crafted link.

