Skip to main content

Speaker

1 CVEs product

Monthly

CVE-2026-57783 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in the merkulove Speaker WordPress plugin (versions through 4.1.13) allows an authenticated low-privilege user to inject and persistently store malicious scripts that execute in other users' browsers upon page visitation. The scope change in the CVSS vector (S:C) confirms that successful exploitation crosses the security boundary from the plugin's context into visiting users' browser sessions, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or active exploitation (CISA KEV) has been identified at the time of analysis, and EPSS data was not supplied, but the low attack complexity keeps this a credible risk on any WordPress site where untrusted contributors have posting privileges.

XSS Speaker
NVD
CVSS 3.1
6.5
EPSS
0.2%
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting (XSS) in the merkulove Speaker WordPress plugin (versions through 4.1.13) allows an authenticated low-privilege user to inject and persistently store malicious scripts that execute in other users' browsers upon page visitation. The scope change in the CVSS vector (S:C) confirms that successful exploitation crosses the security boundary from the plugin's context into visiting users' browser sessions, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or active exploitation (CISA KEV) has been identified at the time of analysis, and EPSS data was not supplied, but the low attack complexity keeps this a credible risk on any WordPress site where untrusted contributors have posting privileges.

XSS Speaker
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy