Platform
wordpress
Component
mstw-league-manager
Fixed in
2.10.1
2.10.1
CVE-2026-34890 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting the MSTW League Manager plugin for WordPress. This vulnerability allows authenticated attackers to inject malicious web scripts into pages, potentially compromising user sessions and website functionality. The vulnerability impacts versions of the plugin up to and including 2.10. A fix is available via plugin update.
The core impact of CVE-2026-34890 lies in the ability of an authenticated attacker, possessing contributor-level access or higher, to inject arbitrary JavaScript code. This code will execute within the context of any user who subsequently views the affected page. An attacker could leverage this to steal user cookies, redirect users to phishing sites, or deface the website. The stored nature of the XSS means the malicious script persists on the server, allowing for repeated exploitation. While requiring contributor access limits the immediate scope, it still represents a significant risk, particularly in environments with poorly managed user permissions. The potential for data theft and website manipulation makes this a concerning vulnerability.
CVE-2026-34890 was published on April 2, 2026. Severity is currently assessed as Medium (CVSS 6.4). There is no indication of this vulnerability being actively exploited in the wild at this time. Public proof-of-concept (POC) code is not yet available, but the nature of the vulnerability suggests that it is likely to be discovered and exploited if left unpatched. Monitor security advisories and vulnerability databases for updates.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34890 is to immediately update the MSTW League Manager plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. These could include restricting access to the plugin's administrative interface to trusted users only. Additionally, a Web Application Firewall (WAF) configured to detect and block XSS payloads targeting the plugin's endpoints could provide a layer of defense. Monitor plugin usage and page content for suspicious scripts. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload through the plugin's input fields and verifying that it is properly sanitized and does not execute.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
It's a Stored Cross-Site Scripting (XSS) vulnerability in the MSTW League Manager WordPress plugin, allowing attackers to inject malicious scripts.
If you're using MSTW League Manager version 2.10 or earlier, you are potentially affected. Check your plugin versions immediately.
Update the MSTW League Manager plugin to the latest available version to patch the vulnerability. Consider WAF rules as a temporary measure.
Currently, there's no public evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official WordPress security advisories and the MSTW League Manager plugin documentation for updates and further information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.