Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.4
Sphere Manager Plugin for WordPress Allows Malicious Code Injection
CVE-2026-1905
Summary
The Sphere Manager plugin for WordPress may allow hackers to inject malicious code into websites, potentially allowing them to steal user data or take control of the site. This is a risk for sites using the plugin, especially if they have contributors or administrators with weak passwords. To protect your site, update the Sphere Manager plugin to a version that fixes this issue as soon as possible.
Original title
The Sphere Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in the 'show_sphere_image' shortcode in all versions up to, and including, 1.0.2 due t...
Original description
The Sphere Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in the 'show_sphere_image' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
nvd CVSS3.1
6.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 14 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026