Skip to main content

Vk All In One Expansion Unit CVE-2026-39483

| EUVDEUVD-2026-20150 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 Patchstack GHSA-hg48-4fpr-3m3r
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:40 vuln.today
CVSS changed
Apr 13, 2026 - 17:22 NVD
6.5 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20150
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidekazu Ishikawa VK All in One Expansion Unit vk-all-in-one-expansion-unit allows Stored XSS.This issue affects VK All in One Expansion Unit: from n/a through <= 9.113.3.

AnalysisAI

Stored cross-site scripting (XSS) in VK All in One Expansion Unit WordPress plugin through version 9.113.3 allows authenticated attackers to inject malicious JavaScript that executes in the browsers of other users, potentially compromising site administrators and visitors. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting immediate mass exploitation but remaining a significant risk for compromised or malicious user accounts. No public exploit code or active exploitation has been reported; the EPSS score of 0.03% reflects the authentication and user-interaction requirements that reduce real-world exploitation probability.

Technical ContextAI

The vulnerability stems from improper input sanitization and output encoding in the VK All in One Expansion Unit plugin, a WordPress expansion toolkit that adds multiple features and page-building functionality. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates that user-supplied input is not properly escaped or filtered before being rendered in HTML context, allowing attackers to inject script tags or event handlers. The plugin processes user input through its various expansion features but fails to neutralize HTML metacharacters and JavaScript syntax, enabling stored payload persistence in the WordPress database. When an authenticated user (such as a contributor, editor, or author) submits malicious input via the plugin's input fields, that payload is stored unfiltered. Later, when administrators or other users view pages containing that content, the JavaScript executes in their browser context with their privileges.

RemediationAI

Upgrade VK All in One Expansion Unit to version 9.113.4 or later, which includes patches to properly sanitize and escape user input before rendering in HTML context. If an immediate upgrade is not feasible, apply the principle of least privilege by restricting the 'Author' and 'Contributor' user roles on WordPress instances running the plugin, limiting input to trusted administrators only. Review and audit any existing content created by lower-privileged users for signs of injected scripts, and consider exporting and re-importing high-value pages through a secure pipeline. Refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/vk-all-in-one-expansion-unit/vulnerability/wordpress-vk-all-in-one-expansion-unit-plugin-9-113-3-cross-site-scripting-xss-vulnerability?_s_id=cve for detailed advisory information.

Share

CVE-2026-39483 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy