CVE-2026-1792 MEDIUM

CVE-2026-1792: Geo Widet <= 1.0 - Reflected Cross-Site Scripting

Vendor Owencutajar

Product Geo Widget

Weakness CWE-79 · XSS

Published February 14, 2026

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Geo Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL path in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Explanation of Vulnerability in Simple Terms

02Summary

Geo Widget versions 1.0 and earlier contain a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into the application. An attacker can craft a malicious link or page that, when visited by a user, executes arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, or defacement.

What an attacker can do

03Attacker Capabilities

Inject and execute malicious JavaScript in a user's browser to steal session data or credentials.

Potential impact on your site

04Site Impact

Users visiting affected pages may have their sessions compromised or credentials stolen without their knowledge.

Conditions required to exploit

05Prerequisites

No authentication required. Victim must visit an attacker-controlled page or click a malicious link.

Key dates

06Disclosure timeline

February 14, 2026 CVE published

April 8, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-1792

Related vulnerabilities