CVE-2026-39483
Stored XSS in VK All in One Expansion Unit Plugin
Publication date: 2026-04-08
Last updated on: 2026-04-13
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hidekazu_ishikawa | vk_all_in_one_expansion_unit | to 9.113.3 (inc) |
| hidekazu_ishikawa | vk_all_in_one_expansion_unit | From 9.0.0 (inc) to 9.113.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39483 is a Cross Site Scripting (XSS) vulnerability found in the WordPress VK All in One Expansion Unit Plugin versions up to and including 9.113.3.
This vulnerability allows attackers to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, which execute when site visitors access the compromised website.
Exploitation requires a user with at least Contributor or Developer privileges to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Stored Cross Site Scripting (XSS) issue that allows attackers to inject malicious scripts which execute when site visitors access the compromised website.
Such vulnerabilities can potentially lead to unauthorized access to user data or session hijacking, which may impact compliance with data protection regulations like GDPR or HIPAA if sensitive personal or health information is exposed or compromised.
However, the provided information does not explicitly state the direct impact of this vulnerability on compliance with specific standards or regulations.
How can this vulnerability impact me? :
This vulnerability can lead to the execution of malicious scripts on your website, which may cause unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads.
Although considered a moderate severity issue with a CVSS score of 6.5, it is noted as a low priority with no impactful threat individually.
However, such vulnerabilities can be exploited in mass campaigns targeting many websites regardless of their traffic or popularity, potentially compromising site integrity and user trust.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability is a Stored Cross Site Scripting (XSS) issue in the VK All in One Expansion Unit WordPress plugin up to version 9.113.3. Detection typically involves checking the plugin version installed on your WordPress site.
Since exploitation requires user interaction and involves malicious script injection, network detection might involve monitoring for unusual script payloads or suspicious HTTP requests containing injected scripts.
To detect if your system is vulnerable, you can check the installed plugin version using WordPress CLI commands such as:
- wp plugin list --status=active
- wp plugin get vk-all-in-one-expansion-unit --field=version
If the version is less than or equal to 9.113.3, your system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to update the VK All in One Expansion Unit plugin to version 9.113.4 or later, where the vulnerability has been patched.
Additionally, consider applying automated updates if available, such as those offered by Patchstack, to ensure rapid protection against this and similar vulnerabilities.
Limiting user privileges to only those necessary (e.g., restricting Contributor or Developer roles) can also reduce the risk of exploitation since the attack requires user interaction with sufficient privileges.