Which VK All in One Expansion Unit CVEs are tracked?

VK All in One Expansion Unit tracked CVEs include CVE-2024-2093, CVE-2026-39483, CVE-2025-11737, CVE-2025-11267, and CVE-2025-11265.

How many VK All in One Expansion Unit vulnerabilities have patch guidance?

11 of 11 tracked VK All in One Expansion Unit records include a published patch path.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 11 known issues Latest disclosed Mar 23, 2026

VK All in One Expansion Unit Vulnerabilities

Review known vulnerability records for the WordPress plugin VK All in One Expansion Unit (`vk-all-in-one-expansion-unit`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-39483, CVE-2025-11737 and CVE-2025-11267, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Apr 15, 2026

Priority CVE Quick Links

Fast paths into VK All in One Expansion Unit CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2024-2093 Medium 9.96.0.0

CVE-2024-2093 VK All in One Expansion Unit Sensitive Information Exposure

VK All in One Expansion Unit <= 9.95.0.1 - Information Exposure

CVE-2026-39483 Medium 9.113.4

CVE-2026-39483 VK All in One Expansion Unit Stored Cross-Site Scripting

VK All in One Expansion Unit <= 9.113.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2025-11737 Medium 9.112.4

CVE-2025-11737 VK All in One Expansion Unit Stored Cross-Site Scripting

VK All in One Expansion Unit <= 9.112.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via SNS Title

CVE-2025-11267 Medium 9.112.2

CVE-2025-11267 VK All in One Expansion Unit Stored Cross-Site Scripting

VK All in One Expansion Unit <= 9.112.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2025-11265 Medium 9.112.2

CVE-2025-11265 VK All in One Expansion Unit Stored Cross-Site Scripting

VK All in One Expansion Unit <= 9.112.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2024-37956 Medium 9.99.2.0

CVE-2024-37956 VK All in One Expansion Unit Stored Cross-Site Scripting

VK All in One Expansion Unit <= 9.99.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2024-2170 Medium 9.97.0.0

CVE-2024-2170 VK All in One Expansion Unit Stored Cross-Site Scripting

VK All in One Expansion Unit <= 9.96.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via className

CVE-2023-28367 Medium 9.88.2.0

CVE-2023-28367 VK All in One Expansion Unit Stored Cross-Site Scripting

VK All in One Expansion Unit <= 9.88.1.0 - Stored (Contributor+) Cross-Site Scripting in CTA Post

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for VK All in One Expansion Unit so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

11 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

0 critical and 0 high severity findings.

Recent CVEs

CVE-2026-39483, CVE-2025-11737 and CVE-2025-11267

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-39483 Medium Patch path listed

CVE-2026-39483: VK All in One Expansion Unit <= 9.113.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 9.113.3 due to insufficient input sanitization and output...

Published

Mar 23, 2026

Patch Status

9.113.4

Open CVE-2026-39483 Report

CVE-2025-11737 Medium Patch path listed

CVE-2025-11737: VK All in One Expansion Unit <= 9.112.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via SNS Title

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_sns_title' parameter in all versions up to, and including, 9.112.3 due to...

Published

Feb 17, 2026

Patch Status

9.112.4

Open CVE-2025-11737 Report

CVE-2025-11267 Medium Patch path listed

CVE-2025-11267: VK All in One Expansion Unit <= 9.112.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_veu_custom_css' parameter in all versions up to, and including, 9.112.1. This is...

Published

Nov 17, 2025

Patch Status

9.112.2

Open CVE-2025-11267 Report

Known Vulnerabilities

Reports for VK All in One Expansion Unit

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-39483

CVE-2026-39483: VK All in One Expansion Unit <= 9.113.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 9.113.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level acce...

Published

Mar 23, 2026

Patched Release

9.113.4

Affected Versions

Versions up to 9.113.3

Next Step

Update to 9.113.4 or newer if supported.

Open CVE-2026-39483 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-11737

CVE-2025-11737: VK All in One Expansion Unit <= 9.112.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via SNS Title

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_sns_title' parameter in all versions up to, and including, 9.112.3 due to insufficient input sanitization and output escaping. This makes it possible for authentic...

Published

Feb 17, 2026

Patched Release

9.112.4

Affected Versions

Versions up to 9.112.3

Next Step

Update to 9.112.4 or newer if supported.

Open CVE-2025-11737 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-11267

CVE-2025-11267: VK All in One Expansion Unit <= 9.112.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_veu_custom_css' parameter in all versions up to, and including, 9.112.1. This is due to insufficient input sanitization and output escaping on the user-supplied Custom CSS...

Published

Nov 17, 2025

Patched Release

9.112.2

Affected Versions

Versions up to 9.112.1

Next Step

Update to 9.112.2 or newer if supported.

Open CVE-2025-11267 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-11265

CVE-2025-11265: VK All in One Expansion Unit <= 9.112.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_cta_url' and 'vkExUnit_cta_button_text' parameters in all versions up to, and including, 9.112.1. This is due to a logic error in the CTA save function that reads...

Published

Nov 17, 2025

Patched Release

9.112.2

Affected Versions

Versions up to 9.112.1

Next Step

Update to 9.112.2 or newer if supported.

Open CVE-2025-11265 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-37956

CVE-2024-37956: VK All in One Expansion Unit <= 9.99.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 9.99.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level acc...

Published

Jul 10, 2024

Patched Release

9.99.2.0

Affected Versions

Versions up to 9.99.1.0

Next Step

Update to 9.99.2.0 or newer if supported.

Open CVE-2024-37956 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-2093

CVE-2024-2093: VK All in One Expansion Unit <= 9.95.0.1 - Information Exposure

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 9.95.0.1 via social meta tags. This makes it possible for unauthenticated attackers to view limited password protected content.

Published

Mar 26, 2024

Patched Release

9.96.0.0

Affected Versions

Versions up to 9.95.0.1

Next Step

Update to 9.96.0.0 or newer if supported.

Open CVE-2024-2093 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-2170

CVE-2024-2170: VK All in One Expansion Unit <= 9.96.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via className

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the child page index widget in all versions up to, and including, 9.96.0.1 due to insufficient input sanitization and output escaping on user supplied attributes such as 'classN...

Published

Mar 25, 2024

Patched Release

9.97.0.0

Affected Versions

Versions up to 9.96.0.1

Next Step

Update to 9.97.0.0 or newer if supported.

Open CVE-2024-2170 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-28367

CVE-2023-28367: VK All in One Expansion Unit <= 9.88.1.0 - Stored (Contributor+) Cross-Site Scripting in CTA Post

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the CTA post functionality in versions up to, and including, 9.88.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attack...

Published

May 09, 2023

Patched Release

9.88.2.0

Affected Versions

Versions up to 9.88.1.0

Next Step

Update to 9.88.2.0 or newer if supported.

Open CVE-2023-28367 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-27926

CVE-2023-27926: VK All in One Expansion Unit <= 9.88.1.0 - Stored (Contributor+) Cross-Site Scripting in Profile Setting

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Profile setting functionality in versions up to, and including, 9.88.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

Published

May 09, 2023

Patched Release

9.88.2.0

Affected Versions

Versions up to 9.88.1.0

Next Step

Update to 9.88.2.0 or newer if supported.

Open CVE-2023-27926 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-0937

CVE-2023-0937: VK All in One Expansion Unit <= 9.87.0.1 - Reflected Cross-Site Scripting via REQUEST_URI

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘$_SERVER['REQUEST_URI']’ parameter in versions up to, and including, 9.87.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unau...

Published

Feb 22, 2023

Patched Release

9.87.1.0

Affected Versions

Versions up to 9.87.0.1

Next Step

Update to 9.87.1.0 or newer if supported.

Open CVE-2023-0937 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-0230

CVE-2023-0230: VK All in One Expansion Unit <= 9.85.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 9.85.0.1 due to insufficient input sanitization and output escaping on user supplied attributes such as class_name. T...

Published

Feb 03, 2023

Patched Release

9.86.0.0

Affected Versions

Versions up to 9.85.0.1

Next Step

Update to 9.86.0.0 or newer if supported.

Open CVE-2023-0230 Report Open CVE Reference