Platform
wordpress
Component
token-of-trust
Fixed in
3.32.4
3.32.4
CVE-2026-2834 represents a Stored Cross-Site Scripting (XSS) vulnerability discovered within the Age Verification & Identity Verification by Token of Trust plugin for WordPress. Successful exploitation allows unauthenticated attackers to inject arbitrary web scripts, potentially leading to session hijacking, defacement, or redirection. This vulnerability affects versions of the plugin up to and including 3.32.3. A patch is available in version 3.32.4.
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the 'Age Verification & Identity Verification by Token of Trust' plugin for WordPress. This vulnerability, tracked as CVE-2026-2834, allows unauthenticated attackers to inject malicious web scripts through the 'description' parameter. Successful injection allows the attacker to execute the script whenever a user accesses the affected page. This poses a significant risk, as an attacker could steal session cookies, redirect users to malicious websites, or even gain control of the WordPress account. The CVSS severity score is 7.2, indicating a high-risk vulnerability. Prompt action is crucial to mitigate this risk.
An attacker could exploit this vulnerability by injecting malicious JavaScript code into the 'description' field of the plugin. This code could be injected through an administrative WordPress form or any other interface that allows data input into this field. Once injected, the script will be stored in the database and executed whenever a user accesses the page displaying the description. The success of exploitation depends on the website's configuration and implemented security measures. The lack of input sanitization is the root cause of this vulnerability.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The recommended solution is to update the 'Age Verification & Identity Verification by Token of Trust' plugin to version 3.32.4 or higher. This update includes necessary fixes to properly sanitize user input and escape output, preventing the injection of malicious scripts. It's strongly advised to apply this update as soon as possible, especially if your website handles sensitive information or experiences high traffic. Regularly reviewing your WordPress plugins and themes for security vulnerabilities is also recommended. Implementing a robust password policy and enabling two-factor authentication can further enhance your website's security.
Update to version 3.32.4, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
It's a type of vulnerability that allows an attacker to inject malicious code into a website, which then executes in the browsers of other users when they visit the affected page.
If you are using a version of the plugin prior to 3.32.4, you are likely affected. Update immediately.
Change all passwords, review website files for malicious code, and consider consulting a security professional.
Yes, use strong passwords, enable two-factor authentication, and keep your software updated.
You can find more information in the CVE (Common Vulnerabilities and Exposures) database under the ID CVE-2026-2834.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.