CVE-2026-7850— WP Magnific Popup <= 1.0 - Author+ Stored XSS via href Attribute
Possible ATT&CK Techniques 1AI
T1059 · Command and Scripting InterpreterAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Unknown | WP Magnific Popup | ≤ 1.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-7850
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
WP Magnific Popup <= 1.0 - Author+ Stored XSS via href Attribute
Source: NVD (National Vulnerability Database)
Vulnerability Description
The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress WP Magnific Popup 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WP Magnific Popup是WordPress基金会开源的一款WordPress弹出层插件。 WordPress WP Magnific Popup 1.0及之前版本存在跨站脚本漏洞,该漏洞源于未正确转义用户控制的链接URL,可能导致经过身份验证的Authors及以上权限用户执行存储型跨站脚本攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Unknown | WP Magnific Popup | 0 ~ 1.0 | - |
II. Public POCs for CVE-2026-7850
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-7850
请登录查看更多情报信息。
News Coverage for CVE-2026-7850 (1)
- 🔗 WP Magnific Popup <= 1.0 – Author+ Stored XSS via href Attribute | CVE 2026-7850 | Plugin Vulnerabilities Read full article exploitvdb-entrytechnical-description
Same Patch Batch · Unknown · 2026-06-17 · 4 CVEs total
| CVE-2026-9570 | Taskbuilder < 5.0.8 - Reflected XSS via Shortcode | |
| CVE-2026-8383 | LearnPress < 4.3.7 - Unauthenticated Sensitive User Information Disclosure via REST API | |
| CVE-2026-8089 | weMail < 2.1.3 - Reflected Cross-Site Scripting |
IV. Related Vulnerabilities
Same vendor: Unknown
- CVE-2026-9822
WP Hotel Booking < 2.3.1 - Subscriber+ Missing Authorization - CVE-2026-9815
MagicForm <= 0.1.3 - Unauthenticated Arbitrary File Upload t - CVE-2026-9570
Taskbuilder < 5.0.8 - Reflected XSS via Shortcode - CVE-2026-8383
LearnPress < 4.3.7 - Unauthenticated Sensitive User Informat - CVE-2026-8089
weMail < 2.1.3 - Reflected Cross-Site Scripting
V. Comments for CVE-2026-7850
No comments yet