CVE-2026-7850
WP Magnific Popup <= 1.0 - Author+ Stored XSS via href Attribute
The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Affected products
Unknown · WP Magnific Popuppublic PoCs found — 1
cve_referencewpscan.com/vulnerability/30f408dd-4b9a-438c-8dc4-c6daafe237fe/unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →