Skip to main content

Speaker WordPress Plugin CVE-2026-57783

| EUVDEUVD-2026-43401 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Stored XSS requires low-privilege write access (PR:L) and victim page visit (UI:R); scope changes to victim browser (S:C); availability impact removed as XSS does not cause measurable service disruption.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:18 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in merkulove Speaker speaker allows Stored XSS.This issue affects Speaker: from n/a through <= 4.1.13.

AnalysisAI

Stored Cross-Site Scripting (XSS) in the merkulove Speaker WordPress plugin (versions through 4.1.13) allows an authenticated low-privilege user to inject and persistently store malicious scripts that execute in other users' browsers upon page visitation. The scope change in the CVSS vector (S:C) confirms that successful exploitation crosses the security boundary from the plugin's context into visiting users' browser sessions, enabling session hijacking, credential theft, or unauthorized administrative actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege WordPress user
Delivery
Inject malicious script into Speaker plugin input field
Exploit
Payload persists in WordPress database
Execution
Administrator visits affected page
Persist
Stored script executes in admin browser
Impact
Exfiltrate session token or perform privileged actions

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with at least low-privilege access (PR:L per CVSS) on the target WordPress installation - the attacker must be able to create or edit content or settings that interact with the Speaker plugin's input fields. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 6.5 (Medium) with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L reflects a meaningful but bounded risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privilege WordPress account (e.g., a contributor or author role) navigates to the Speaker plugin's configuration interface or a post editor where Speaker shortcode attributes are accepted, and injects a JavaScript payload such as a cookie-stealing script into an unsanitized field. The payload is saved to the database. …
Remediation The primary remediation is to update the merkulove Speaker plugin to a version released after 4.1.13; however, the intelligence data does not specify an exact patched release version. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57783 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy