Skip to main content

Mstw League Manager CVE-2026-34890

| EUVDEUVD-2026-18204 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-02 Patchstack
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 02, 2026 - 13:15 euvd
EUVD-2026-18204
Analysis Generated
Apr 02, 2026 - 13:15 vuln.today
CVE Published
Apr 02, 2026 - 12:58 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mark O’Donnell MSTW League Manager allows DOM-Based XSS.This issue affects MSTW League Manager: from n/a through 2.10.

AnalysisAI

DOM-based cross-site scripting (XSS) in MSTW League Manager WordPress plugin through version 2.10 allows authenticated attackers to inject malicious scripts that execute in the context of other users' browsers, potentially stealing session tokens, modifying league data, or performing actions on behalf of victims. The vulnerability requires user interaction (UI:R) and affects the plugin across all versions up to 2.10.

Technical ContextAI

This is a CWE-79 improper neutralization vulnerability in a WordPress plugin that fails to properly sanitize or escape user input during web page generation. DOM-based XSS occurs when the plugin takes unsanitized data from user input (typically URL parameters or form fields) and dynamically inserts it into the DOM without proper encoding. The MSTW League Manager plugin, which manages sports league data, does not implement adequate output encoding when rendering user-controlled content, allowing attackers to break out of the intended HTML context and inject arbitrary JavaScript. WordPress plugins using standard escaping functions (wp_kses_post, esc_attr, esc_html, etc.) are vulnerable if they bypass these protections or fail to apply them consistently.

RemediationAI

Update MSTW League Manager to a version newer than 2.10 immediately; check the official WordPress plugin repository or the plugin developer's GitHub repository for the patched release version. If an update is not yet available, disable the plugin temporarily or restrict edit_posts or higher capabilities to only fully trusted administrators until a patch is released. WordPress administrators should audit user permissions and revoke contributor or author roles from untrusted accounts. Apply a web application firewall (WAF) rule to block requests containing common XSS payloads in query parameters or POST data targeting the league manager functionality. For additional information, consult the Patchstack advisory linked in the references.

Share

CVE-2026-34890 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy