cleantalk
Vulnerabilities and Security Researches

TalkJS, CVE-2026-1055

CVE, Research URL

CVE-2026-1055

Home page URL

Security reports for TalkJS

Application

TalkJS

Published on
Feb 19, 2026
Research Description
The TalkJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions
max 0.1.16.
Status
vulnerable
Previous vulnerability researches
Orbisius Random Name Generator (CVE-2026-1893) , Apr 15, 2026
New vulnerability
personal-authors-category (CVE-2026-1754) , Apr 16, 2026
UpMenu – Online ordering for restaurants (CVE-2026-1910) , Apr 16, 2026
Employee Directory – Staff Directory and Listing (CVE-2026-1279) , Apr 16, 2026
Advance Block Extend (CVE-2026-1646) , Apr 16, 2026
All push notification for WP (CVE-2026-0816) , Apr 16, 2026