Skip to main content

Taboola Pixel EUVDEUVD-2026-15923

| CVE-2026-32545 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-2q5h-5xx7-pjf2
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15923
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Taboola Taboola Pixel taboola-pixel allows Reflected XSS.This issue affects Taboola Pixel: from n/a through <= 1.1.4.

AnalysisAI

Taboola Pixel versions up to and including 1.1.4 contain a Reflected Cross-Site Scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages during generation. An attacker can craft a malicious URL containing JavaScript payload and trick users into clicking it, causing the injected code to execute in the victim's browser with their session privileges. This vulnerability affects the Taboola Pixel WordPress plugin and has been identified by Patchstack; no CVSS score or EPSS data is currently available, but the reflected XSS classification and WordPress plugin distribution suggest moderate to high real-world risk given the plugin's widespread usage.

Technical ContextAI

Taboola Pixel is a WordPress plugin (CPE: cpe:2.3:a:taboola:taboola_pixel) that provides content recommendation and advertising widgets for WordPress sites. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which is the standard weakness for XSS flaws. The root cause is insufficient input sanitization and output encoding in the plugin's web page generation functions. When user-supplied input from URL parameters or request data is directly reflected into HTML output without proper encoding or validation, attackers can inject arbitrary JavaScript that executes in the context of the victim's browser. The reflected nature of this XSS means the payload must be delivered via a crafted URL rather than being stored in the application, making it a vector for phishing and social engineering attacks against site visitors and administrators.

RemediationAI

Upgrade Taboola Pixel to a version later than 1.1.4 immediately; consult the official Taboola plugin repository or Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/taboola-pixel/vulnerability/wordpress-taboola-pixel-1-1-4-reflected-cross-site-scripting-xss-vulnerability for the patched version number and installation instructions. If immediate patching is not feasible, implement Web Application Firewall (WAF) rules to block common XSS patterns in URL parameters reaching the plugin, enforce Content Security Policy (CSP) headers to restrict inline script execution, and educate administrators and users not to click suspicious links containing unfamiliar query parameters. Monitor the plugin repository and Taboola's security advisories closely for patch availability and apply updates as soon as testing confirms compatibility with your WordPress environment.

Share

EUVD-2026-15923 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy