Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable stored XSS needing victim view (UI:R) and no privileges per vendor; scope changes as script runs in another user's context, with limited C/I/A.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in picu picu picu allows Stored XSS.This issue affects picu: from n/a through <= 3.5.1.
AnalysisAI
Stored cross-site scripting in the picu WordPress plugin (all versions up to and including 3.5.1) lets an attacker inject persistent JavaScript that executes in the browser of any user who later views the affected page. Because the CVSS vector marks a scope change (S:C) and requires only user interaction (UI:R) with no privileges (PR:N), a crafted payload stored via picu can run in an administrator or reviewer session and act beyond the plugin's own boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker can reach a picu input that is stored and later rendered (such as a collection submission, client comment, or selection field) and that a second user - typically a photographer or administrator reviewing the collection - subsequently views the page containing the payload; this victim interaction (UI:R) is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are moderate and internally consistent rather than alarming. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a photo-selection comment or collection field containing a JavaScript payload through picu's client-facing interface, and the input is stored without sanitization. When a photographer or administrator later opens the collection in wp-admin to review the client's picks, the script executes in their authenticated session, enabling actions such as session-token theft or admin-panel actions on their behalf. … |
| Remediation | No vendor-released patch identified at time of analysis in the provided data; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/picu/vulnerability/wordpress-picu-plugin-3-5-1-cross-site-scripting-xss-vulnerability) for the fixed release and upgrade to any version above 3.5.1 once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit all WordPress installations for picu presence and document versions in use; determine whether the plugin is operationally critical and identify which user accounts have access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43460