Skip to main content

Mdtf CVE-2026-32455

| EUVDEUVD-2026-12009 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-13 Patchstack
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-12009
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 MDTF wp-meta-data-filter-and-taxonomy-filter allows DOM-Based XSS.This issue affects MDTF: from n/a through <= 1.3.5.

AnalysisAI

A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in the RealMag777 MDTF (Meta Data Filter and Taxonomy Filter) WordPress plugin affecting versions up to and including 1.3.5. An authenticated attacker with low privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. The vulnerability requires user interaction (UI:R) and is classified as moderate severity (CVSS 6.5), though its exploitability depends on plugin popularity and whether public proof-of-concept code becomes available.

Technical ContextAI

The vulnerability is rooted in improper neutralization of user-supplied input during dynamic web page generation, classified under CWE-79 (Cross-site Scripting). DOM-Based XSS occurs when client-side JavaScript processes untrusted input without proper sanitization or encoding, allowing attackers to manipulate the Document Object Model. The affected product is RealMag777's MDTF WordPress plugin (CPE identifier likely cpe:2.3:a:realmag777:mdtf), which provides metadata filtering and taxonomy filtering functionality for WordPress sites. The vulnerability likely exists in JavaScript code that dynamically constructs filter UI elements or processes taxonomy-related parameters without adequate output encoding, enabling attacker-controlled data to be interpreted as executable code rather than harmless text.

RemediationAI

Immediately upgrade the RealMag777 MDTF plugin to the latest patched version (confirmed as later than 1.3.5) available from the WordPress plugin repository or the vendor's official site. If a patched version is not yet available, disable the plugin entirely until a security update is released. As a temporary mitigation, restrict plugin access to trusted administrator accounts only via WordPress role-based access controls, and implement Content Security Policy (CSP) headers at the web server level to restrict inline script execution. Monitor WordPress logs for suspicious activity from authenticated users and consider implementing Web Application Firewall (WAF) rules to detect and block XSS payloads targeting the MDTF filter endpoints. Notify all site administrators and editors of the vulnerability and advise them against clicking untrusted links while the plugin remains unpatched.

Share

CVE-2026-32455 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy