Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidekazu Ishikawa VK All in One Expansion Unit vk-all-in-one-expansion-unit allows Stored XSS.This issue affects VK All in One Expansion Unit: from n/a through <= 9.113.3.
AnalysisAI
Stored cross-site scripting (XSS) in VK All in One Expansion Unit WordPress plugin through version 9.113.3 allows authenticated attackers to inject malicious JavaScript that executes in the browsers of other users, potentially compromising site administrators and visitors. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting immediate mass exploitation but remaining a significant risk for compromised or malicious user accounts. No public exploit code or active exploitation has been reported; the EPSS score of 0.03% reflects the authentication and user-interaction requirements that reduce real-world exploitation probability.
Technical ContextAI
The vulnerability stems from improper input sanitization and output encoding in the VK All in One Expansion Unit plugin, a WordPress expansion toolkit that adds multiple features and page-building functionality. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates that user-supplied input is not properly escaped or filtered before being rendered in HTML context, allowing attackers to inject script tags or event handlers. The plugin processes user input through its various expansion features but fails to neutralize HTML metacharacters and JavaScript syntax, enabling stored payload persistence in the WordPress database. When an authenticated user (such as a contributor, editor, or author) submits malicious input via the plugin's input fields, that payload is stored unfiltered. Later, when administrators or other users view pages containing that content, the JavaScript executes in their browser context with their privileges.
RemediationAI
Upgrade VK All in One Expansion Unit to version 9.113.4 or later, which includes patches to properly sanitize and escape user input before rendering in HTML context. If an immediate upgrade is not feasible, apply the principle of least privilege by restricting the 'Author' and 'Contributor' user roles on WordPress instances running the plugin, limiting input to trusted administrators only. Review and audit any existing content created by lower-privileged users for signs of injected scripts, and consider exporting and re-importing high-value pages through a secure pipeline. Refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/vk-all-in-one-expansion-unit/vulnerability/wordpress-vk-all-in-one-expansion-unit-plugin-9-113-3-cross-site-scripting-xss-vulnerability?_s_id=cve for detailed advisory information.
More in Vk All In One Expansion Unit
View allThe VK All in One Expansion Unit WordPress plugin before 9.87.1.0 does not escape the $_SERVER['REQUEST_URI'] parameter
The VK All in One Expansion Unit WordPress plugin before 9.86.0.0 does not validate and escape some of its block options
The VK All in One Expansion Unit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up
The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the child page in
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Vektor,Inc.
Cross-site scripting vulnerability in CTA post function of VK All in One Expansion Unit 9.88.1.0 and earlier allows a re
Cross-site scripting vulnerability in Profile setting function of VK All in One Expansion Unit 9.88.1.0 and earlier allo
Cross-site scripting vulnerability exists in VK All in One Expansion Unit versions prior to 9.100.1.0. Rated medium seve
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20150
GHSA-hg48-4fpr-3m3r