cleantalk
Vulnerabilities and Security Researches

CI HUB Connector, CVE-2026-4353

CVE, Research URL

CVE-2026-4353

Home page URL

Security reports for CI HUB Connector

Application

CI HUB Connector

Published on
Apr 22, 2026
Research Description
The CI HUB Connector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the `cihub_metadata` shortcode in all versions up to, and including, 1.2.106 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.2.106.
Status
vulnerable
Previous vulnerability researches
Authors Autocomplete Meta Box (CVE-2025-25169) , Feb 17, 2025
New vulnerability
WP Booking Calendar (CVE-2025-9346) , Apr 23, 2026
Backup Migration , Apr 23, 2026
Team – WordPress Team Members Showcase Plugin (CVE-2025-57975) , Apr 23, 2026
Album and Image Gallery plus Lightbox (CVE-2026-6443) , Apr 23, 2026
Royal Elementor Addons and Templates (CVE-2025-5092) , Apr 23, 2026