{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39483", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:47:37.759Z", "datePublished": "2026-04-08T08:30:10.547Z", "dateUpdated": "2026-04-29T09:52:01.879Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "vk-all-in-one-expansion-unit", "product": "VK All in One Expansion Unit", "vendor": "Hidekazu Ishikawa", "versions": [{"changes": [{"at": "9.113.4", "status": "unaffected"}], "lessThanOrEqual": "9.113.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "timomangcut | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:57.470Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidekazu Ishikawa VK All in One Expansion Unit vk-all-in-one-expansion-unit allows Stored XSS.<p>This issue affects VK All in One Expansion Unit: from n/a through <= 9.113.3.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidekazu Ishikawa VK All in One Expansion Unit vk-all-in-one-expansion-unit allows Stored XSS.This issue affects VK All in One Expansion Unit: from n/a through <= 9.113.3."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:01.879Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/vk-all-in-one-expansion-unit/vulnerability/wordpress-vk-all-in-one-expansion-unit-plugin-9-113-3-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress VK All in One Expansion Unit plugin <= 9.113.3 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T16:17:42.740753Z", "id": "CVE-2026-39483", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T16:17:50.736Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39483", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T16:17:42.740753Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T16:17:19.953Z"}}], "cna": {"title": "WordPress VK All in One Expansion Unit plugin <= 9.113.3 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "timomangcut | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "affected": [{"vendor": "Hidekazu Ishikawa", "product": "VK All in One Expansion Unit", "versions": [{"status": "affected", "changes": [{"at": "9.113.4", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "9.113.3"}], "packageName": "vk-all-in-one-expansion-unit", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:57.470Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/vk-all-in-one-expansion-unit/vulnerability/wordpress-vk-all-in-one-expansion-unit-plugin-9-113-3-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidekazu Ishikawa VK All in One Expansion Unit vk-all-in-one-expansion-unit allows Stored XSS.This issue affects VK All in One Expansion Unit: from n/a through <= 9.113.3.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidekazu Ishikawa VK All in One Expansion Unit vk-all-in-one-expansion-unit allows Stored XSS.<p>This issue affects VK All in One Expansion Unit: from n/a through <= 9.113.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:10.547Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39483", "state": "PUBLISHED", "dateUpdated": "2026-04-13T16:17:50.736Z", "dateReserved": "2026-04-07T10:47:37.759Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:10.547Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidekazu Ishikawa VK All in One Expansion Unit vk-all-in-one-expansion-unit allows Stored XSS.This issue affects VK All in One Expansion Unit: from n/a through <= 9.113.3."}], "id": "CVE-2026-39483", "lastModified": "2026-04-24T18:08:35.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:22.970", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/vk-all-in-one-expansion-unit/vulnerability/wordpress-vk-all-in-one-expansion-unit-plugin-9-113-3-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.113.3]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[9.113.4,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "VK All in One Expansion Unit", "source": "cna", "vendor": "Hidekazu Ishikawa"}, "product": "vk_all_in_one_expansion_unit", "vendor": "hidekazu_ishikawa"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-13T18:47:31.421078+00:00", "value": {"mitigation_remediation": ["Update the VK All in One Expansion Unit plugin to the latest available version (greater than 9.113.3).", "If an update is not immediately available, remove or permanently deactivate the plugin to eliminate the attack surface.", "Before making changes, back up the WordPress database and files to prevent data loss."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects WordPress sites using the VK All in One Expansion Unit plugin distributed by Hidekazu Ishikawa. All versions up to and including 9.113.3 are vulnerable; earlier releases newer than 9.113.3 are not impacted.", "description_and_impact": "The flaw is caused by improper handling of user input in the plugin\u2019s web page generation. Malicious scripts can be stored and later executed in the browsers of any visitor who loads the affected page. This allows attackers to hijack sessions, steal data, deface content or execute arbitrary code within the site\u2019s context.", "risk_and_exploitability": "The CVSS score of 6.5 denotes moderate severity, while an EPSS score below 1% indicates a low probability of exploitation. The issue is not listed in the CISA KEV catalog. An attacker can exploit the weakness by submitting injected script through the plugin\u2019s interface, which is then embedded in the site\u2019s pages for all users. Because the vector is web\u2011based and does not require privileged access, the overall risk to site visitors is high."}}}}, "created": "2026-04-08T19:30:46.485527+00:00", "updated": "2026-04-14T16:40:03.693742+00:00", "vendors": ["hidekazu_ishikawa", "hidekazu_ishikawa$PRODUCT$vk_all_in_one_expansion_unit", "wordpress", "wordpress$PRODUCT$wordpress"]}