Skip to main content

Picu

1 CVEs product

Monthly

CVE-2026-57387 HIGH This Week

Stored cross-site scripting in the picu WordPress plugin (all versions up to and including 3.5.1) lets an attacker inject persistent JavaScript that executes in the browser of any user who later views the affected page. Because the CVSS vector marks a scope change (S:C) and requires only user interaction (UI:R) with no privileges (PR:N), a crafted payload stored via picu can run in an administrator or reviewer session and act beyond the plugin's own boundary. No public exploit identified at time of analysis and the issue is not on CISA KEV; the 7.1 CVSS reflects moderate impact across confidentiality, integrity, and availability.

XSS Picu
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in the picu WordPress plugin (all versions up to and including 3.5.1) lets an attacker inject persistent JavaScript that executes in the browser of any user who later views the affected page. Because the CVSS vector marks a scope change (S:C) and requires only user interaction (UI:R) with no privileges (PR:N), a crafted payload stored via picu can run in an administrator or reviewer session and act beyond the plugin's own boundary. No public exploit identified at time of analysis and the issue is not on CISA KEV; the 7.1 CVSS reflects moderate impact across confidentiality, integrity, and availability.

XSS Picu
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy