Vulnerabilities and security researches forvk-all-in-one-expansion-unit vk-all-in-one-expansion-unit

Feb 27, 2026

CVE, Research URL: CVE-2025-11737
Home page URL: Security reports for VK All in One Expansion Unit
Application: VK All in One Expansion Unit
Date: Feb 18, 2026
Research Description: The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_sns_title' parameter in all versions up to, and including, 9.112.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 9.112.4.
Status: vulnerable

Dec 10, 2025

CVE, Research URL: CVE-2025-11265
Home page URL: Security reports for VK All in One Expansion Unit
Application: VK All in One Expansion Unit
Date: Nov 18, 2025
Research Description: The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_cta_url' and 'vkExUnit_cta_button_text' parameters in all versions up to, and including, 9.112.1. This is due to a logic error in the CTA save function that reads sanitization callbacks from the wrong variable ($custom_field_name instead of $custom_field_options), causing the sanitization to never be applied. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that execute when a user accesses an injected page.",
Affected versions: max 9.112.2.
Status: vulnerable

CVE, Research URL: CVE-2025-11267
Home page URL: Security reports for VK All in One Expansion Unit
Application: VK All in One Expansion Unit
Date: Nov 18, 2025
Research Description: The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_veu_custom_css' parameter in all versions up to, and including, 9.112.1. This is due to insufficient input sanitization and output escaping on the user-supplied Custom CSS value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses an injected page.
Affected versions: max 9.112.2.
Status: vulnerable

Nov 18, 2024

CVE, Research URL: CVE-2024-52268
Home page URL: Security reports for VK All in One Expansion Unit
Application: VK All in One Expansion Unit
Date: Nov 13, 2024
Research Description: Cross-site scripting vulnerability exists in VK All in One Expansion Unit versions prior to 9.100.1.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing the web site using the product.
Affected versions: max 9.100.1.0.
Status: vulnerable

Jul 13, 2024

CVE, Research URL: CVE-2024-37956
Home page URL: Security reports for VK All in One Expansion Unit
Application: VK All in One Expansion Unit
Date: Jul 20, 2024
Research Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Vektor,Inc. VK All in One Expansion Unit allows Stored XSS.This issue affects VK All in One Expansion Unit: from n/a through 9.99.1.0.
Affected versions: max 9.99.2.0.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2023-0230
Home page URL: Security reports for VK All in One Expansion Unit
Application: VK All in One Expansion Unit
Date: Feb 27, 2023
Research Description: The VK All in One Expansion Unit WordPress plugin before 9.86.0.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Affected versions: max 9.87.1.0.
Status: vulnerable

CVE, Research URL: CVE-2024-2093
Home page URL: Security reports for VK All in One Expansion Unit
Application: VK All in One Expansion Unit
Date: Apr 10, 2024
Research Description: The VK All in One Expansion Unit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 9.95.0.1 via social meta tags. This makes it possible for unauthenticated attackers to view limited password protected content.
Affected versions: max 9.96.0.0.
Status: vulnerable

CVE, Research URL: CVE-2023-27926
Home page URL: Security reports for VK All in One Expansion Unit
Application: VK All in One Expansion Unit
Date: May 23, 2023
Research Description: Cross-site scripting vulnerability in Profile setting function of VK All in One Expansion Unit 9.88.1.0 and earlier allows a remote authenticated attacker to inject an arbitrary script.
Affected versions: max 9.88.2.0.
Status: vulnerable

CVE, Research URL: CVE-2023-28367
Home page URL: Security reports for VK All in One Expansion Unit
Application: VK All in One Expansion Unit
Date: May 23, 2023
Research Description: Cross-site scripting vulnerability in CTA post function of VK All in One Expansion Unit 9.88.1.0 and earlier allows a remote authenticated attacker to inject an arbitrary script.
Affected versions: max 9.88.2.0.
Status: vulnerable

CVE, Research URL: CVE-2023-0937
Home page URL: Security reports for VK All in One Expansion Unit
Application: VK All in One Expansion Unit
Date: Mar 20, 2023
Research Description: The VK All in One Expansion Unit WordPress plugin before 9.87.1.0 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
Affected versions: max 9.87.1.0.
Status: vulnerable

CVE, Research URL: CVE-2023-27923
Home page URL: Security reports for VK All in One Expansion Unit
Application: VK All in One Expansion Unit
Date: May 23, 2023
Research Description: Cross-site scripting vulnerability in Tag edit function of VK Blocks 1.53.0.1 and earlier and VK Blocks Pro 1.53.0.1 and earlier allows a remote authenticated attacker to inject an arbitrary script.
Affected versions: max 9.88.2.0.
Status: vulnerable

CVE, Research URL: CVE-2024-2170
Home page URL: Security reports for VK All in One Expansion Unit
Application: VK All in One Expansion Unit
Date: Mar 26, 2024
Research Description: The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the child page index widget in all versions up to, and including, 9.96.0.1 due to insufficient input sanitization and output escaping on user supplied attributes such as 'className.' This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 9.97.0.0.
Status: vulnerable