cleantalk
Vulnerabilities and Security Researches

Sphere Manager, CVE-2026-1905

CVE, Research URL

CVE-2026-1905

Home page URL

Security reports for Sphere Manager

Application

Sphere Manager

Published on
Feb 14, 2026
Research Description
The Sphere Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in the 'show_sphere_image' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.0.2.
Status
vulnerable
Previous vulnerability researches
Social Link Groups (CVE-2024-49619) , Oct 22, 2024
Featured Posts with Multiple Custom Groups (FPMCG) (CVE-2024-48031) , Oct 13, 2024
Featured Posts with Multiple Custom Groups (FPMCG) (CVE-2024-48032) , Oct 13, 2024
RDP inGroups+ (CVE-2025-23546) , Mar 22, 2025
Payment Gateway Groups for WooCommerce (8e7d6f5fc355d02dfe8d709340a3643188c7e5a6) , Jun 07, 2024
New vulnerability
Simple Plyr (CVE-2026-1915) , Apr 16, 2026
Apocalypse Meow (CVE-2026-3523) , Apr 16, 2026
personal-authors-category (CVE-2026-1754) , Apr 16, 2026
UpMenu – Online ordering for restaurants (CVE-2026-1910) , Apr 16, 2026
Employee Directory – Staff Directory and Listing (CVE-2026-1279) , Apr 16, 2026