WP Magnific Popup <= 1.0 – Author+ Stored XSS via href Attribute | CVE 2026-7850 | Plugin Vulnerabilities

Description

The plugin does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user.

Proof of Concept

1. As an Author, create a new post and add the following HTML via the HTML editor or Custom HTML block:

<a href="&quot;&gt;&lt;img src=x onerror=alert()&gt;" class="mpopup">Click me</a>

2. Publish the post.
3. As any user (including unauthenticated), visit the post and click the "Click me" link.
4. The plugin reads the href attribute value and injects it into the DOM without sanitization, triggering the XSS payload.

Affects Plugins

wp-magnific-popup

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Pierre Rudloff

Submitter

Pierre Rudloff

Verified

Yes

WPVDB ID

30f408dd-4b9a-438c-8dc4-c6daafe237fe

Timeline

Publicly Published

2026-05-27 (about 21 days ago)

Added

2026-05-27 (about 21 days ago)

Last Updated

2026-05-27 (about 21 days ago)

Other

Published

Title

Published

2023-11-15

Title

Bamboo Columns <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2021-05-17

Title

Car Repair Services < 4.0 - Unauthenticated Reflected XSS & XFS

Published

2025-05-23

Title

Page Builder: Pagelayer – Drag and Drop website builder < 2.0.1 - Reflected Cross-Site Scripting via login_url Parameter

Published

2015-08-21

Title

YITH Maintenance Mode < 1.2.0 - Authenticated Reflected Cross-Site Scripting (XSS)

Published

2021-10-05

Title

WP-Recall < 16.24.48 - Reflected Cross-Site Scripting