CVE-2026-6439

Name of the Vulnerable Software and Affected Versions VideoZen versions prior to 1.0.2

Description The VideoZen plugin for WordPress contains a Stored Cross-Site Scripting issue caused by insufficient input sanitization and output escaping in the videozen conf() function. The lang POST parameter is stored via update option() without sanitization and subsequently displayed within a element without the use of esc textarea() or similar escaping functions. This allows authenticated attackers with Administrator-level access or higher to inject arbitrary web scripts into the plugin settings page, which execute when any user visits that page.

Recommendations Update to a version newer than 1.0.1. As a temporary workaround, restrict access to the plugin settings page to minimize the risk of exploitation.