Description
The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user.
Published: 2026-06-17
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WP Magnific Popup up to version 1.0 fails to escape user-controlled link URLs before rendering them in the DOM when image load errors occur. This defect allows an authenticated Author or higher to store malicious JavaScript in the plugin’s link fields that will execute automatically when any site visitor views an affected page, potentially leaking session data, defacing content, or performing account hijack. The weakness directly maps to improper neutralization of input during web page generation, enabling client‑side code execution.

Affected Systems

The vulnerability affects the WordPress plugin WP Magnific Popup, versions 1.0 and earlier. No specific vendor or broader product family is listed beyond the plugin name, and the affected‑version range is limited to the 1.0 release. Users running this branch of the plugin are exposed; no other products are implicated by the current analysis.

Risk and Exploitability

With a CVSS base score of 5.9 the issue represents a moderate risk profile. The EPSS score is below 1%, indicating a low but non‑zero probability that the flaw is being exploited in the wild. It is not listed in the CISA KEV catalog. The attack requires an attacker to have authenticated Author or higher privileges within WordPress to inject the malicious link. Once stored, the payload can be triggered by any visiting user, creating a cross‑site scripting vector that can lead to information disclosure or session compromise.

Generated by OpenCVE AI on June 18, 2026 at 12:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update or upgrade WP Magnific Popup to a version that includes proper escaping of href attributes.
  • If no patched version exists, remove or disable the plugin to eliminate the attack surface.
  • Implement a Content Security Policy that restricts execution of inline scripts and blocks suspicious href payloads.
  • Consider applying a web application firewall rule that detects and blocks XSS payloads in link URL fields.

Generated by OpenCVE AI on June 18, 2026 at 12:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Magnific Popup
Wp Magnific Popup wp Magnific Popup
Vendors & Products Wordpress
Wordpress wordpress
Wp Magnific Popup
Wp Magnific Popup wp Magnific Popup

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user.
Title WP Magnific Popup <= 1.0 - Author+ Stored XSS via href Attribute
References

Subscriptions

Wordpress Wordpress
Wp Magnific Popup Wp Magnific Popup
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-17T10:48:01.172Z

Reserved: 2026-05-05T11:15:08.498Z

Link: CVE-2026-7850

cve-icon Vulnrichment

Updated: 2026-06-17T10:47:56.354Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:42:31Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')