Visionary Core
Monthly
A PHP Object Injection vulnerability exists in NooTheme Visionary Core plugin versions up to and including 1.4.9, stemming from unsafe deserialization of untrusted data. An attacker can inject malicious serialized objects to achieve arbitrary code execution or other critical impacts depending on available magic methods in the WordPress environment. No CVSS score, EPSS data, or KEV confirmation is currently available; however, the vulnerability is documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15602.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in NooTheme Visionary Core WordPress plugin through version 1.4.9, allowing attackers to inject malicious scripts that execute in users' browsers when they visit crafted URLs. This vulnerability, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), affects all installations of the plugin up to and including version 1.4.9. An attacker can craft a malicious link to steal session cookies, perform unauthorized actions on behalf of logged-in users, or redirect users to phishing sites, with the attack vector being network-based and requiring no authentication.
A PHP Object Injection vulnerability exists in NooTheme Visionary Core plugin versions up to and including 1.4.9, stemming from unsafe deserialization of untrusted data. An attacker can inject malicious serialized objects to achieve arbitrary code execution or other critical impacts depending on available magic methods in the WordPress environment. No CVSS score, EPSS data, or KEV confirmation is currently available; however, the vulnerability is documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15602.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in NooTheme Visionary Core WordPress plugin through version 1.4.9, allowing attackers to inject malicious scripts that execute in users' browsers when they visit crafted URLs. This vulnerability, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), affects all installations of the plugin up to and including version 1.4.9. An attacker can craft a malicious link to steal session cookies, perform unauthorized actions on behalf of logged-in users, or redirect users to phishing sites, with the attack vector being network-based and requiring no authentication.