Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Mutual Funds Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the user supplied 'title' attribute in the mfd_shortcode() function, which is concatenated directly into the HTML output within a <caption> element. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Mutual Funds Data WordPress plugin (versions ≤ 1.2.1) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts into any page using the affected shortcode. The unsanitized 'title' attribute in the mfd_shortcode() function is written directly into a HTML caption element without escaping, meaning injected payloads execute in the browsers of any user who subsequently views the affected page. No public exploit code or active exploitation has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) reflects a low current probability of widespread exploitation.
Technical ContextAI
This vulnerability resides in the mfd_shortcode() function of the Mutual Funds Data WordPress plugin, specifically at lines 88 and 119 of mutual-funds-data.php (visible in the WordPress plugin Trac repository). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), where the plugin accepts a user-supplied 'title' shortcode attribute and concatenates it directly into the HTML output inside a <caption> element without applying WordPress sanitization functions (such as sanitize_text_field or esc_html on output). Because WordPress shortcode attributes are accessible to any authenticated user with the ability to create or edit posts - including Contributors - an attacker does not require elevated administrative privileges to introduce the payload. The CVSS Scope metric of Changed (S:C) correctly reflects that the injected script executes in the victim's browser context, crossing the trust boundary from the web application into the client.
RemediationAI
No vendor-released patched version was identified in the available intelligence data; the exact fix version is not independently confirmed. Site administrators should check the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/596d3b55-e35b-4d77-9915-1091eafbb3ff for updated patch guidance and monitor the WordPress plugin repository for a patched release above version 1.2.1. As an immediate compensating control, administrators should disable or deactivate the Mutual Funds Data plugin until a patched version is confirmed - this eliminates the attack surface entirely but removes plugin functionality. If the plugin must remain active, restrict the Contributor role from creating or editing posts that include this shortcode, or limit contributor-level user registration if it is not operationally required. A WordPress Web Application Firewall rule targeting malformed shortcode attribute payloads (available via Wordfence or similar WAF products) can provide partial mitigation but should not be treated as a full substitute for patching.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32072
GHSA-267x-9qpf-6c8j