Skip to main content

H5P

2 CVEs product

Monthly

CVE-2026-56006 HIGH This Week

Reflected cross-site scripting in the H5P WordPress plugin (versions 1.17.6 and earlier) lets an unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link, per the CVSS PR:N/UI:R vector. Because the scope is changed (S:C), successful execution can reach beyond the vulnerable component into the authenticated WordPress session context, enabling session/cookie theft or admin-context actions. There is no public exploit identified and the issue is not listed in CISA KEV, so risk is moderate (CVSS 7.1) and contingent on social-engineering a logged-in user.

XSS H5P
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-3111 MEDIUM POC This Month

The Interactive Content WordPress plugin before 1.15.8 does not validate uploads which could allow a Contributors and above to update malicious SVG files, leading to Stored Cross-Site Scripting issues. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS H5P
NVD WPScan
CVSS 3.1
5.4
EPSS
0.3%
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the H5P WordPress plugin (versions 1.17.6 and earlier) lets an unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link, per the CVSS PR:N/UI:R vector. Because the scope is changed (S:C), successful execution can reach beyond the vulnerable component into the authenticated WordPress session context, enabling session/cookie theft or admin-context actions. There is no public exploit identified and the issue is not listed in CISA KEV, so risk is moderate (CVSS 7.1) and contingent on social-engineering a logged-in user.

XSS H5P
NVD
EPSS 0% CVSS 5.4
MEDIUM POC This Month

The Interactive Content WordPress plugin before 1.15.8 does not validate uploads which could allow a Contributors and above to update malicious SVG files, leading to Stored Cross-Site Scripting issues. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS H5P
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy