Skip to main content

Vk All In One Expansion Unit

9 CVEs product

Monthly

CVE-2026-39483 MEDIUM This Month

Stored cross-site scripting (XSS) in VK All in One Expansion Unit WordPress plugin through version 9.113.3 allows authenticated attackers to inject malicious JavaScript that executes in the browsers of other users, potentially compromising site administrators and visitors. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting immediate mass exploitation but remaining a significant risk for compromised or malicious user accounts. No public exploit code or active exploitation has been reported; the EPSS score of 0.03% reflects the authentication and user-interaction requirements that reduce real-world exploitation probability.

XSS Vk All In One Expansion Unit
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2024-52268 MEDIUM This Month

Cross-site scripting vulnerability exists in VK All in One Expansion Unit versions prior to 9.100.1.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Vk All In One Expansion Unit
NVD
CVSS 3.1
4.8
EPSS
0.3%
CVE-2024-37956 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Vektor,Inc. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Vk All In One Expansion Unit
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-2093 MEDIUM PATCH This Month

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 9.95.0.1 via social meta tags. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure WordPress Vk All In One Expansion Unit
NVD GitHub
CVSS 3.1
6.5
EPSS
1.1%
CVE-2024-2170 MEDIUM PATCH This Month

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the child page index widget in all versions up to, and including, 9.96.0.1 due to insufficient. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Vk All In One Expansion Unit
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2023-28367 MEDIUM This Month

Cross-site scripting vulnerability in CTA post function of VK All in One Expansion Unit 9.88.1.0 and earlier allows a remote authenticated attacker to inject an arbitrary script. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Vk All In One Expansion Unit
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2023-27926 MEDIUM This Month

Cross-site scripting vulnerability in Profile setting function of VK All in One Expansion Unit 9.88.1.0 and earlier allows a remote authenticated attacker to inject an arbitrary script. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Vk All In One Expansion Unit
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2023-0937 MEDIUM POC This Month

The VK All in One Expansion Unit WordPress plugin before 9.87.1.0 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Vk All In One Expansion Unit
NVD WPScan
CVSS 3.1
6.1
EPSS
0.5%
CVE-2023-0230 MEDIUM POC This Month

The VK All in One Expansion Unit WordPress plugin before 9.86.0.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Vk All In One Expansion Unit
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting (XSS) in VK All in One Expansion Unit WordPress plugin through version 9.113.3 allows authenticated attackers to inject malicious JavaScript that executes in the browsers of other users, potentially compromising site administrators and visitors. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting immediate mass exploitation but remaining a significant risk for compromised or malicious user accounts. No public exploit code or active exploitation has been reported; the EPSS score of 0.03% reflects the authentication and user-interaction requirements that reduce real-world exploitation probability.

XSS Vk All In One Expansion Unit
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Cross-site scripting vulnerability exists in VK All in One Expansion Unit versions prior to 9.100.1.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Vk All In One Expansion Unit
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Vektor,Inc. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Vk All In One Expansion Unit
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 9.95.0.1 via social meta tags. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure WordPress Vk All In One Expansion Unit
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the child page index widget in all versions up to, and including, 9.96.0.1 due to insufficient. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Vk All In One Expansion Unit
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Cross-site scripting vulnerability in CTA post function of VK All in One Expansion Unit 9.88.1.0 and earlier allows a remote authenticated attacker to inject an arbitrary script. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Vk All In One Expansion Unit
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Cross-site scripting vulnerability in Profile setting function of VK All in One Expansion Unit 9.88.1.0 and earlier allows a remote authenticated attacker to inject an arbitrary script. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Vk All In One Expansion Unit
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

The VK All in One Expansion Unit WordPress plugin before 9.87.1.0 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Vk All In One Expansion Unit
NVD WPScan
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The VK All in One Expansion Unit WordPress plugin before 9.86.0.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Vk All In One Expansion Unit
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy