CVE-2026-1391
Unknown Unknown - Not Provided
Reflected XSS in Vzaar WordPress Plugin Allows Script Injection

Publication date: 2026-01-28

Last updated on: 2026-01-28

Assigner: Wordfence

Description
The Vzaar Media Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on the $_SERVER['PHP_SELF'] variable. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-28
Last Modified
2026-01-28
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1391
EUVD
EUVD-2026-4923
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vzaar vzaar_media_management to 1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Reflected Cross-Site Scripting (XSS) issue in the Vzaar Media Management plugin for WordPress, affecting all versions up to and including 1.2. It occurs because the plugin does not properly sanitize or escape the $_SERVER['PHP_SELF'] variable, allowing unauthenticated attackers to inject malicious scripts that execute when a user is tricked into clicking a crafted link.

Impact Analysis

The vulnerability can allow attackers to execute arbitrary scripts in the context of the affected website, potentially leading to actions such as session hijacking, defacement, or redirecting users to malicious sites. This can compromise user trust and the security of the website's visitors.

Mitigation Strategies

To mitigate this vulnerability, update the Vzaar Media Management plugin for WordPress to a version later than 1.2 where the issue is fixed. If an update is not immediately available, consider disabling the plugin until a patch is released. Additionally, implement web application firewall (WAF) rules to block suspicious requests that attempt to exploit reflected cross-site scripting via the PHP_SELF variable.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1391. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart