Picu
Monthly
Stored cross-site scripting in the picu WordPress plugin (all versions up to and including 3.5.1) lets an attacker inject persistent JavaScript that executes in the browser of any user who later views the affected page. Because the CVSS vector marks a scope change (S:C) and requires only user interaction (UI:R) with no privileges (PR:N), a crafted payload stored via picu can run in an administrator or reviewer session and act beyond the plugin's own boundary. No public exploit identified at time of analysis and the issue is not on CISA KEV; the 7.1 CVSS reflects moderate impact across confidentiality, integrity, and availability.
Stored cross-site scripting in the picu WordPress plugin (all versions up to and including 3.5.1) lets an attacker inject persistent JavaScript that executes in the browser of any user who later views the affected page. Because the CVSS vector marks a scope change (S:C) and requires only user interaction (UI:R) with no privileges (PR:N), a crafted payload stored via picu can run in an administrator or reviewer session and act beyond the plugin's own boundary. No public exploit identified at time of analysis and the issue is not on CISA KEV; the 7.1 CVSS reflects moderate impact across confidentiality, integrity, and availability.