Stored Cross-Site Scripting Vulnerability in VideoZen Plugin by WordPress
CVE-2026-6439

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Videozen
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-6439?

The VideoZen plugin for WordPress has a vulnerability that allows an authenticated attacker with Administrator-level access to exploit stored Cross-Site Scripting (XSS). This occurs because the plugin's videozen_conf() function does not adequately sanitize input or escape output. Specifically, the 'lang' POST parameter gets stored via update_option() without sanitization and then displayed in a element without using appropriate escaping functions like esc_textarea(). As a result, attackers can inject arbitrary web scripts into the plugin's settings page, executing malicious content whenever users access that page.

Affected Version(s)

VideoZen 0 <= 1.0.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/videozen/trunk...

https://plugins.trac.wordpress.org/browser/videozen/tags/...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

Muhammad Nur Ibnu Hubab

CVE-2026-6439 Data

JSON