{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39483", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:47:37.759Z", "datePublished": "2026-04-08T08:30:10.547Z", "dateUpdated": "2026-04-08T08:30:10.547Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "vk-all-in-one-expansion-unit", "product": "VK All in One Expansion Unit", "vendor": "Hidekazu Ishikawa", "versions": [{"changes": [{"at": "9.113.4", "status": "unaffected"}], "lessThanOrEqual": "9.113.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "timomangcut | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:57.470Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidekazu Ishikawa VK All in One Expansion Unit vk-all-in-one-expansion-unit allows Stored XSS.<p>This issue affects VK All in One Expansion Unit: from n/a through <= 9.113.3.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidekazu Ishikawa VK All in One Expansion Unit vk-all-in-one-expansion-unit allows Stored XSS.This issue affects VK All in One Expansion Unit: from n/a through <= 9.113.3."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:10.547Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/vk-all-in-one-expansion-unit/vulnerability/wordpress-vk-all-in-one-expansion-unit-plugin-9-113-3-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress VK All in One Expansion Unit plugin <= 9.113.3 - Cross Site Scripting (XSS) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidekazu Ishikawa VK All in One Expansion Unit vk-all-in-one-expansion-unit allows Stored XSS.This issue affects VK All in One Expansion Unit: from n/a through <= 9.113.3."}], "id": "CVE-2026-39483", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:22.970", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/vk-all-in-one-expansion-unit/vulnerability/wordpress-vk-all-in-one-expansion-unit-plugin-9-113-3-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.113.3]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[9.113.4,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "VK All in One Expansion Unit", "source": "cna", "vendor": "Hidekazu Ishikawa"}, "product": "vk_all_in_one_expansion_unit", "vendor": "hidekazu_ishikawa"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:25:13.605389+00:00", "value": {"mitigation_remediation": ["Upgrade the VK All in One Expansion Unit plugin to a version newer than 9.113.3.", "If an upgrade is not feasible, remove the plugin entirely to eliminate the vulnerability.", "Verify that no other code on the site introduces similar XSS weaknesses."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Hidekazu Ishikawa VK All in One Expansion Unit plugin used in WordPress installations, versions up to and including 9.113.3 are affected. No specific sub\u2011versions or environments are listed, so any WordPress site deploying a vulnerable instance of this plugin is vulnerable.", "description_and_impact": "The VK All in One Expansion Unit plugin accepts user input without proper sanitization, allowing an attacker to store malicious script data that is later rendered in the web page. This stored cross\u2011site scripting flaw enables an attacker to execute any JavaScript code in the context of a victim\u2019s browser when they view affected content. The impact could include theft of session cookies, defacement of sites, or delivery of further malware. The weakness corresponds to CWE\u201179.", "risk_and_exploitability": "No CVSS score is provided, and EPSS information is missing, so the calculated risk is unknown. The vulnerability can be triggered by an attacker who manages to inject malicious input, which is then stored and displayed to visitors. Likely attack vector involves a user clicking on or viewing a page that contains the stored payload. Since stored XSS is a common and straightforward technique, exploitation is considered possible with moderate effort."}}}}, "created": "2026-04-08T19:30:46.485527+00:00", "updated": "2026-04-08T19:43:15.219956+00:00", "vendors": ["hidekazu_ishikawa", "hidekazu_ishikawa$PRODUCT$vk_all_in_one_expansion_unit", "wordpress", "wordpress$PRODUCT$wordpress"]}