Skip to main content

Mang Board WP CVE-2026-13334

| EUVDEUVD-2026-42538 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-09 Wordfence GHSA-pm92-5rp3-r8mg
6.1
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-delivered reflected XSS requiring no privileges but mandatory victim click; scope changes to victim browser enabling limited confidentiality and integrity impact with no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 08:58 vuln.today
CVE Published
Jul 09, 2026 - 07:55 nvd
MEDIUM 6.1

DescriptionCVE.org

The Mang Board WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'stag' parameter in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

AnalysisAI

Reflected Cross-Site Scripting in the Mang Board WP WordPress plugin (all versions through 2.3.4) allows unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'stag' parameter, which executes in the browser of any user who clicks a crafted link. Wordfence's source-level analysis identifies the flaw spanning multiple plugin files including _header.php, func.board.php, and class.store.php. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Mang Board WP ≤2.3.4
Delivery
Craft URL with XSS payload in 'stag' parameter
Exploit
Deliver malicious link via phishing to target user
Execution
Victim clicks link triggering reflected response
Persist
Injected script executes in victim browser session
Impact
Exfiltrate cookies or perform authenticated admin actions

Vulnerability AssessmentAI

Exploitation The victim must actively navigate to a crafted URL containing the malicious 'stag' parameter value - this mandatory user interaction (UI:R in the CVSS vector) is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.1 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N accurately characterizes the profile: network-accessible with no complexity or privilege prerequisites on the attacker side, but gated by required user interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a WordPress site running Mang Board WP 2.3.4 or earlier, then constructs a board page URL embedding a JavaScript payload in the 'stag' parameter and delivers it to a site administrator via a phishing email or social engineering. When the administrator clicks the link, the injected script executes in their authenticated browser session, enabling the attacker to steal session cookies, capture credentials, or perform privileged WordPress admin actions on the victim's behalf.
Remediation Update the Mang Board WP plugin beyond version 2.3.4; a fix is available in WordPress SVN changeset 3598739 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3598739%40mangboard&new=3598739%40mangboard), though the exact version number of the released patched build is not stated in available input data and should be verified in the WordPress plugin directory or via the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/0f42b2be-2a7d-470a-896d-6148e31e4cce before updating. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13334 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy