{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39674", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:05.154Z", "datePublished": "2026-04-08T08:30:39.819Z", "dateUpdated": "2026-04-08T18:59:00.562Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "google-distance-calculator", "product": "MK Google Directions", "vendor": "Manoj Kumar", "versions": [{"lessThanOrEqual": "3.1.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Riski Gana Prasetya | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:40.742Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Manoj Kumar MK Google Directions google-distance-calculator allows DOM-Based XSS.<p>This issue affects MK Google Directions: from n/a through <= 3.1.1.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Manoj Kumar MK Google Directions google-distance-calculator allows DOM-Based XSS.This issue affects MK Google Directions: from n/a through <= 3.1.1."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:39.819Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/google-distance-calculator/vulnerability/wordpress-mk-google-directions-plugin-3-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress MK Google Directions plugin <= 3.1.1 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:58:18.397982Z", "id": "CVE-2026-39674", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:59:00.562Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Manoj Kumar MK Google Directions google-distance-calculator allows DOM-Based XSS.This issue affects MK Google Directions: from n/a through <= 3.1.1."}], "id": "CVE-2026-39674", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:38.957", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/google-distance-calculator/vulnerability/wordpress-mk-google-directions-plugin-3-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MK Google Directions", "source": "cna", "vendor": "Manoj Kumar"}, "product": "mk_google_directions", "vendor": "manoj_kumar"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:33:31.575865+00:00", "value": {"mitigation_remediation": ["Upgrade the MK Google Directions plugin to the latest available version, which removes the XSS flaw.", "If an upgrade cannot be performed immediately, deactivate or delete the plugin to eliminate the attack surface until a patch is installed.", "Verify other WordPress plugins for similar vulnerabilities and keep the core platform updated to reduce overall risk."], "summary": {"action": "Patch Immediately", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the MK Google Directions plugin for WordPress, developed by Manoj Kumar. All released versions from the initial release through version 3.1.1 are impacted; no later versions are mentioned in the advisory.", "description_and_impact": "Improper neutralization of input during web page generation allows a DOM\u2011based cross\u2011site scripting flaw in the Manoj Kumar MK Google Directions WordPress plugin. The flaw causes untrusted data supplied to the plugin to be rendered directly as JavaScript in the visitor\u2019s browser, enabling arbitrary code execution in the site visitor\u2019s context. This can lead to session hijacking, defacement, or malicious redirects. The weakness is a reflected XSS failure, classified as CWE\u201179.", "risk_and_exploitability": "No CVSS score or EPSS value is published for this issue, but XSS vulnerabilities generally pose a moderate to high risk for confidentiality and integrity due to potential code execution in users\u2019 browsers. The CVE is not listed in the CISA KEV catalog, indicating that widespread exploitation has not been documented. Based on the description, it is inferred that exploitation requires a victim to interact with crafted input\u2014such as visiting a specially constructed URL or entering manipulated data\u2014since the flaw is client\u2011side and depends on the plugin processing user\u2011supplied content."}}}}, "created": "2026-04-08T19:27:58.497642+00:00", "updated": "2026-04-08T19:41:01.823726+00:00", "vendors": ["manoj_kumar", "manoj_kumar$PRODUCT$mk_google_directions", "wordpress", "wordpress$PRODUCT$wordpress"]}