CVE-2026-56347
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
The AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting (XSS) vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields, potentially stealing session cookies or performing unauthorized actions.
Risk Assessment
This vulnerability poses a risk to all site visitors, as it may lead to session data theft and unauthorized access to user accounts.
Recommendation
It is recommended to update the AVideo TopMenu plugin to the latest version to mitigate this vulnerability and implement proper output encoding mechanisms for all data displayed on the site.
Original NVD description (English source)
AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute for all site visitors, potentially stealing session cookies or performing unauthorized actions.

