Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidekazu Ishikawa VK All in One Expansion Unit vk-all-in-one-expansion-unit allows Stored XSS.This issue affects VK All in One Expansion Unit: from n/a through <= 9.113.3.
Published: 2026-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The flaw is caused by improper handling of user input in the plugin’s web page generation. Malicious scripts can be stored and later executed in the browsers of any visitor who loads the affected page. This allows attackers to hijack sessions, steal data, deface content or execute arbitrary code within the site’s context.

Affected Systems

The vulnerability affects WordPress sites using the VK All in One Expansion Unit plugin distributed by Hidekazu Ishikawa. All versions up to and including 9.113.3 are vulnerable; earlier releases newer than 9.113.3 are not impacted.

Risk and Exploitability

The CVSS score of 6.5 denotes moderate severity, while an EPSS score below 1% indicates a low probability of exploitation. The issue is not listed in the CISA KEV catalog. An attacker can exploit the weakness by submitting injected script through the plugin’s interface, which is then embedded in the site’s pages for all users. Because the vector is web‑based and does not require privileged access, the overall risk to site visitors is high.

Generated by OpenCVE AI on April 13, 2026 at 18:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the VK All in One Expansion Unit plugin to the latest available version (greater than 9.113.3).
  • If an update is not immediately available, remove or permanently deactivate the plugin to eliminate the attack surface.
  • Before making changes, back up the WordPress database and files to prevent data loss.

Generated by OpenCVE AI on April 13, 2026 at 18:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Hidekazu Ishikawa
Hidekazu Ishikawa vk All In One Expansion Unit
Wordpress
Wordpress wordpress
Vendors & Products Hidekazu Ishikawa
Hidekazu Ishikawa vk All In One Expansion Unit
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidekazu Ishikawa VK All in One Expansion Unit vk-all-in-one-expansion-unit allows Stored XSS.This issue affects VK All in One Expansion Unit: from n/a through <= 9.113.3.
Title WordPress VK All in One Expansion Unit plugin <= 9.113.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Hidekazu Ishikawa Vk All In One Expansion Unit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:01.879Z

Reserved: 2026-04-07T10:47:37.759Z

Link: CVE-2026-39483

cve-icon Vulnrichment

Updated: 2026-04-13T16:17:19.953Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:22.970

Modified: 2026-04-24T18:08:35.440

Link: CVE-2026-39483

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:40:03Z

Weaknesses