CVE-2026-32360 identifies a stored Cross-site Scripting (XSS) vulnerability in the Rich Showcase for Google Reviews plugin developed by richplugins, affecting all versions up to and including 6.9.4.3. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is permanently stored and later executed in the browsers of users visiting the affected web pages. Stored XSS is particularly dangerous because the malicious payload persists on the server and can affect multiple users without requiring repeated attacker interaction. The vulnerability does not require authentication, meaning any unauthenticated attacker can exploit it by submitting crafted input to the plugin's input fields or review submission forms. Once exploited, attackers can execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, credential theft, unauthorized actions on behalf of users, defacement, or redirection to malicious sites. Although no public exploits or active exploitation have been reported yet, the vulnerability is publicly disclosed and thus poses a credible risk. The lack of a CVSS score indicates the need for a severity assessment based on impact and exploitability factors. The plugin is commonly used on WordPress sites to display Google Reviews, making websites that rely on this plugin vulnerable until patched. The issue was reserved and published in March 2026 by Patchstack, a known vulnerability aggregator. No official patches or updates are linked yet, so users must monitor vendor announcements closely. The vulnerability highlights the importance of proper input validation, output encoding, and security controls in web plugins that handle user-generated content.

The stored XSS vulnerability in Rich Showcase for Google Reviews can have significant impacts on organizations worldwide. Exploitation allows attackers to execute arbitrary JavaScript in the context of users' browsers, potentially leading to theft of session cookies, personal data, or credentials. This can result in unauthorized access to user accounts or administrative functions. Additionally, attackers can manipulate website content, deface pages, or redirect users to malicious websites, damaging brand reputation and user trust. For e-commerce or service-oriented websites, such attacks can lead to financial losses and regulatory compliance issues, especially if personal data is compromised. The persistent nature of stored XSS means that once injected, the malicious code can affect many users over time, increasing the attack surface. Organizations relying on this plugin for displaying Google Reviews are at risk until the vulnerability is remediated. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as public disclosure often leads to exploit development. Overall, the vulnerability threatens confidentiality, integrity, and availability of affected web applications and their users.

To mitigate CVE-2026-32360, organizations should take the following specific actions: 1) Monitor the richplugins vendor site and trusted vulnerability databases for official patches or updates addressing this vulnerability and apply them promptly once available. 2) If a patch is not yet available, consider temporarily disabling or removing the Rich Showcase for Google Reviews plugin to eliminate exposure. 3) Implement strict input validation on all user-supplied data fields related to the plugin, ensuring that potentially dangerous characters are sanitized or rejected before storage. 4) Apply proper output encoding (e.g., HTML entity encoding) when rendering user-generated content to prevent script execution. 5) Deploy Content Security Policy (CSP) headers to restrict the execution of inline scripts and loading of external scripts, limiting the impact of any injected malicious code. 6) Conduct regular security audits and penetration testing focused on web application input handling and plugin security. 7) Educate web administrators and developers about the risks of stored XSS and secure coding practices. 8) Use web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting this plugin. These measures together reduce the risk of exploitation and help protect users and organizational assets.