Platform
php
Component
cvesmarz
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in the Online Reviewer System, affecting versions up to 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides within the btn_functions.php file, specifically in an unknown function handling the 'Description' argument. Public disclosure of this exploit highlights the urgency of remediation.
Successful exploitation of CVE-2026-4972 allows an attacker to inject arbitrary JavaScript code into the Online Reviewer System. This code can then be executed in the context of a victim's browser when they access a vulnerable page. The impact ranges from session hijacking and defacement to the theft of sensitive information, such as user credentials or personal data. The remote nature of the vulnerability means attackers do not need local access to exploit it. While the CVSS score is LOW, the potential for widespread impact through user interaction should not be underestimated, particularly in environments with many users.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. The exploit is readily available, making it accessible to a wide range of attackers. The vulnerability is not currently listed on CISA KEV. Given the public availability of the exploit and the ease of execution, proactive mitigation is strongly recommended.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4972 is to upgrade to a patched version of the Online Reviewer System (a fixed version is not specified in the provided data). In the absence of a patch, implement robust input validation on the 'Description' argument within btn_functions.php to prevent the injection of malicious scripts. Strict output encoding, particularly when displaying user-supplied data, is also crucial. Consider implementing a Web Application Firewall (WAF) with rules to detect and block XSS attempts targeting this specific vulnerability. Review and update existing security policies to emphasize the importance of secure coding practices and regular vulnerability scanning.
Actualizar a una versión parcheada o aplicar las medidas de seguridad recomendadas por el proveedor para mitigar la vulnerabilidad XSS. Verificar y sanear las entradas del usuario, especialmente el campo 'Description', para evitar la inyección de código malicioso.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4972 is a cross-site scripting (XSS) vulnerability affecting Online Reviewer System versions up to 1.0. It allows attackers to inject malicious scripts via the Description argument, potentially compromising user sessions.
If you are using Online Reviewer System version 1.0, you are potentially affected. Assess your environment and implement mitigations immediately.
Upgrade to a patched version of Online Reviewer System. If a patch is unavailable, implement input validation and output encoding to prevent script injection.
The vulnerability has been publicly disclosed and an exploit is available, increasing the likelihood of active exploitation. Proactive mitigation is recommended.
Refer to the Online Reviewer System project's official website or security advisory page for updates and information regarding CVE-2026-4972.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.