Plattform
wordpress
Komponente
taboola-pixel
Behoben in
1.1.5
CVE-2026-32545 identifies a Reflected Cross-Site Scripting (XSS) vulnerability within the Taboola Pixel component. This flaw allows attackers to inject malicious scripts into web pages viewed by users, potentially leading to data theft or session hijacking. The vulnerability impacts Taboola Pixel versions prior to 1.1.5, and a patch is available in version 1.1.5.
The primary impact of CVE-2026-32545 is the ability for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be achieved by crafting a malicious URL containing a specially crafted payload. Upon visiting this URL, the user's browser will execute the attacker's script. Successful exploitation could allow an attacker to steal sensitive user data, such as cookies and session tokens, enabling them to impersonate the user. Furthermore, the attacker could redirect the user to a phishing site or deface the website. The blast radius is limited to users interacting with pages containing the vulnerable Taboola Pixel component.
CVE-2026-32545 was publicly disclosed on 2026-03-25. No public proof-of-concept (PoC) code has been identified at the time of writing. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Websites utilizing the Taboola Pixel component, particularly those with user-supplied input that is not properly sanitized before being used within the Taboola Pixel, are at risk. Shared hosting environments where multiple websites share the same Taboola Pixel installation are also potentially vulnerable, as a compromise on one site could impact others.
• wordpress / composer / npm:
grep -r '<script>' /var/www/html/wp-content/plugins/taboola-pixel/*• generic web:
curl -I https://example.com/?param=<script>alert(1)</script>• wordpress / composer / npm:
wp plugin list | grep taboola-pixeldisclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CVSS-Vektor
The recommended mitigation for CVE-2026-32545 is to immediately upgrade Taboola Pixel to version 1.1.5 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on any user-supplied data used within the Taboola Pixel component. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Monitor web server access logs for suspicious URL patterns containing JavaScript code. After upgrading, confirm the fix by attempting to inject a simple XSS payload via a URL and verifying that it is not executed.
Aktualisieren Sie auf Version 1.1.5 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32545 is a Reflected XSS vulnerability in Taboola Pixel, allowing attackers to inject malicious scripts via crafted URLs. It affects versions up to 1.1.4 and has a CVSS score of 7.1 (HIGH).
You are affected if you are using Taboola Pixel versions prior to 1.1.5 and have not implemented adequate input validation and output encoding.
Upgrade Taboola Pixel to version 1.1.5 or later. Implement input validation and output encoding as a temporary workaround if upgrading is not immediately possible.
There is currently no indication of active exploitation campaigns targeting CVE-2026-32545, but the vulnerability remains a potential risk.
Please refer to the official Taboola security advisory for detailed information and updates regarding CVE-2026-32545.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.