CVE-2026-3551 — Cross-Site Scripting (XSS)
Image via images.unsplash.com
CVE-2026-3551 — The Custom New User Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's admin settings in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on multiple settings fields including 'Us
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-3551 | vulnerability | CVE-2026-3551 |
| CWE-79 | weakness | CWE-79 |
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 16, 2026 at 09:16 UTC |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Related Posts
Rsync Vulnerability Exposes Users to Use-After-Free Flaw
CVE-2026-41035 — In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim...
CVE-2026-41034 — ONLYOFFICE DocumentServer before 9.3.0 has an untrusted
CVE-2026-41034 — ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and...
CVE-2026-41030 — In ONLYOFFICE DesktopEditors before 9.3.0, the update
CVE-2026-41030 — In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges.