cleantalk
Vulnerabilities and Security Researches

Cincopa video and media plug-in, CVE-2026-10092

CVE, Research URL

CVE-2026-10092

Home page URL

Security reports for Cincopa video and media plug-in

Application

Cincopa video and media plug-in

Published on
Jun 24, 2026
Research Description
The Cincopa video and media plug-in plugin for WordPress is vulnerable to Stored Cross-Site Scripting via cincopa Shortcode in Post Comments in all versions up to, and including, 1.163 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation is possible because the plugin processes the [cincopa] shortcode via a comment_text filter hook, allowing unauthenticated visitors who can post comments to supply a malicious shortcode argument that persists in the database.
Affected versions
max 1.163.
Status
vulnerable
Previous vulnerability researches
FREE DOWNLOAD MANAGER (CVE-2024-49315) , Oct 19, 2024
CM Download Manager – Document and File Management (CVE-2025-24758) , Feb 19, 2025
CM Download Manager – Document and File Management (CVE-2020-27344) , Jun 06, 2024
CM Download Manager – Document and File Management (CVE-2014-8877) , Jun 06, 2024
CM Download Manager – Document and File Management (CVE-2024-1962) , Jun 06, 2024
New vulnerability
MapPress Maps for WordPress (CVE-2026-56011) , Jun 25, 2026
WP Photo Album Plus (CVE-2026-54829) , Jun 25, 2026
Infility Global (CVE-2026-7842) , Jun 25, 2026
Infility Global (CVE-2026-8163) , Jun 25, 2026
Motors – Car Dealer, Classifieds & Listing (CVE-2026-54828) , Jun 25, 2026