CVE-2026-1706
published 2026-03-04CVE-2026-1706: The All-in-One Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'vi' parameter in all versions up to, and including…
PriorityP423medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.23%
13.8th percentile
The All-in-One Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'vi' parameter in all versions up to, and including, 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| plugins360 | all-in-one_video_gallery | <= 4.7.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Synapse CPU starvation (Denial of Service)
ghsa·2026-05-14
CVE-2026-45078 [HIGH] CWE-400 Synapse CPU starvation (Denial of Service)
Synapse CPU starvation (Denial of Service)
### Impact
Local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service.
Homeservers that trust all their local users are not at risk.
### Patches
Update to Synapse 1.152.1 or later.
### Workarounds
If Synapse is deployed behind a reverse proxy, the reverse proxy could be configured to limit the rate of user requests,
preventing or increasing the difficulty of the attack.
### Identifiers
- ELEMENTSEC-2026-1706
### For more information
If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:[email protected]).
GHSA
GHSA-9jg6-vr9q-89g4: The All-in-One Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'vi' parameter in all versions up to, and in
ghsa_unreviewed·2026-03-04
CVE-2026-1706 [MEDIUM] CWE-79 GHSA-9jg6-vr9q-89g4: The All-in-One Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'vi' parameter in all versions up to, and in
The All-in-One Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'vi' parameter in all versions up to, and including, 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-1706 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1706 [CRITICAL] CVE-2026-1706 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1706 :
WordPress vulnerability analysis and mitigation
The All-in-One Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'vi' parameter in all versions up to, and including, 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Source : NVD
## 6.1
Score
Published March 4, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 33.5
Exploitation Probability (EPSS) 0.1
Bugzilla
CVE-2026-2100 p11-kit: NULL dereference via C_DeriveKey with specific NULL parameters
bugzilla·2026-02-06·CVSS 5.3
CVE-2026-2100 [MEDIUM] CVE-2026-2100 p11-kit: NULL dereference via C_DeriveKey with specific NULL parameters
CVE-2026-2100 p11-kit: NULL dereference via C_DeriveKey with specific NULL parameters
Summary: potential NULL dereference in p11-kit when calling C_DeriveKey remotely with specific parameters.
Requirements to exploit: if an attacker calls C_DeriveKey on a remote token with either mechanism IBM kyber or IBM btc derive, with specific mechanism parameter values set to NULL. The RPC-client might attempt to return an uninitialized value potentially resulting in a NULL dereference or undefined behavior.
A slight overhaul of p11_rpc_buffer_get_ibm_kyber_mech_param_update and p11_rpc_buffer_get_ibm_btc_derive_mech_param_update functions where variable data could potentially be used uninitialized.
Report from static analysis:
1. Defect type: UNINIT
1. p11-kit-0.26.1/p11-kit/rpc-message.c:1706
https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.7.1/includes/helpers/render.php#L304https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.7.1/public/videos.php#L776https://plugins.trac.wordpress.org/changeset/3469442/all-in-one-video-gallery/trunk/public/videos.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/bcaff8ab-2db9-4d91-9b7a-f7f49f5952b9?source=cve
2026-03-04
Published