cleantalk
Vulnerabilities and Security Researches

NMR Strava activities, CVE-2026-5341

CVE, Research URL

CVE-2026-5341

Home page URL

Security reports for NMR Strava activities

Application

NMR Strava activities

Published on
May 08, 2026
Research Description
The NMR Strava activities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `strava_nmr_connect` shortcode in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.0.15.
Status
vulnerable
Previous vulnerability researches
WEN Logo Slider (CVE-2025-62127) , May 09, 2026
New vulnerability
Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart) (CVE-2026-7475) , May 10, 2026
Auto Affiliate Links (CVE-2026-7330) , May 10, 2026
NMR Strava activities (CVE-2026-5341) , May 10, 2026
WEN Logo Slider (CVE-2025-62127) , May 09, 2026
Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin (CVE-2025-66105) , May 09, 2026