Skip to main content

picu CVE-2026-57387

| EUVDEUVD-2026-43460 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable stored XSS needing victim view (UI:R) and no privileges per vendor; scope changes as script runs in another user's context, with limited C/I/A.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:02 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in picu picu picu allows Stored XSS.This issue affects picu: from n/a through <= 3.5.1.

AnalysisAI

Stored cross-site scripting in the picu WordPress plugin (all versions up to and including 3.5.1) lets an attacker inject persistent JavaScript that executes in the browser of any user who later views the affected page. Because the CVSS vector marks a scope change (S:C) and requires only user interaction (UI:R) with no privileges (PR:N), a crafted payload stored via picu can run in an administrator or reviewer session and act beyond the plugin's own boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach picu submission or comment field
Delivery
Inject stored XSS payload
Exploit
Payload persisted unsanitized
Execution
Admin views collection page
Persist
Script executes in admin session
Impact
Steal session or perform admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker can reach a picu input that is stored and later rendered (such as a collection submission, client comment, or selection field) and that a second user - typically a photographer or administrator reviewing the collection - subsequently views the page containing the payload; this victim interaction (UI:R) is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderate and internally consistent rather than alarming. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a photo-selection comment or collection field containing a JavaScript payload through picu's client-facing interface, and the input is stored without sanitization. When a photographer or administrator later opens the collection in wp-admin to review the client's picks, the script executes in their authenticated session, enabling actions such as session-token theft or admin-panel actions on their behalf. …
Remediation No vendor-released patch identified at time of analysis in the provided data; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/picu/vulnerability/wordpress-picu-plugin-3-5-1-cross-site-scripting-xss-vulnerability) for the fixed release and upgrade to any version above 3.5.1 once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all WordPress installations for picu presence and document versions in use; determine whether the plugin is operationally critical and identify which user accounts have access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57387 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy