CVE-2026-7850 | The WP Magnific Popup WordPress plugin through 1.0 does not … | CVSS 5.9 MEDIUM

Description

The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user.

Metadata

CVE ID: CVE-2026-7850
State: PUBLISHED
Assigner: WPScan
Reserved: 2026-05-05 11:15 UTC
Published: 2026-06-17 06:00 UTC
Last updated: 2026-06-17 10:48 UTC
Vendor / Product: Unknown / WP Magnific Popup
Sources: cve.org · NVD

Severity & Metrics

5.9 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Unknown	WP Magnific Popup	—	0 ≤ 1.0

Weakness (CWE)

CWE	Source	Description
—	cna	CWE-79 Cross-Site Scripting (XSS)

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.9	MEDIUM	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

References (1)

https://wpscan.com/vulnerability/30f408dd-4b9a-438c-8dc4-c6daafe237fe/