CVE-2026-7850 | THREATINT

Description

The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user.

PUBLISHED Reserved 2026-05-05 | Published 2026-06-17 | Updated 2026-06-17 | Assigner WPScan

Problem types

CWE-79 Cross-Site Scripting (XSS)

Product status

Default status

unknown

Any version

affected

Credits

Pierre Rudloff finder

WPScan coordinator

References

wpscan.com/...rability/30f408dd-4b9a-438c-8dc4-c6daafe237fe/ exploit vdb-entry technical-description

cve.org (CVE-2026-7850)

nvd.nist.gov (CVE-2026-7850)

Download JSON