CVE-2026-7850 PUBLISHED

WP Magnific Popup <= 1.0 - Author+ Stored XSS via href Attribute

Assigner: WPScan
Reserved: 05.05.2026 Published: 17.06.2026 Updated: 17.06.2026

The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user.

Product Status

Vendor	Unknown
Product	WP Magnific Popup
Versions	Default: unknown affected from 0 to 1.0 (incl.)

Credits

Pierre Rudloff finder
WPScan coordinator

References

https://wpscan.com/vulnerability/30f408dd-4b9a-438c-8dc4-c6daafe237fe/

Problem Types

CWE-79 Cross-Site Scripting (XSS) CWE