प्लेटफ़ॉर्म
wordpress
घटक
taboola-pixel
में ठीक किया गया
1.1.5
CVE-2026-32545 identifies a Reflected Cross-Site Scripting (XSS) vulnerability within the Taboola Pixel component. This flaw allows attackers to inject malicious scripts into web pages viewed by users, potentially leading to data theft or session hijacking. The vulnerability impacts Taboola Pixel versions prior to 1.1.5, and a patch is available in version 1.1.5.
The primary impact of CVE-2026-32545 is the ability for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can manifest in several ways, including stealing session cookies, redirecting users to malicious websites, or defacing the website. Successful exploitation requires an attacker to craft a malicious URL containing the XSS payload and trick a user into clicking it. The blast radius extends to any user visiting a page containing the vulnerable Taboola Pixel and the crafted URL. While no direct precedent is immediately apparent, XSS vulnerabilities are consistently exploited in real-world attacks, often targeting user credentials and sensitive data.
CVE-2026-32545 was publicly disclosed on 2026-03-25. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability is not listed on the CISA KEV catalog. The CVSS score of 7.1 (HIGH) indicates a significant potential for exploitation if left unaddressed.
Websites utilizing the Taboola Pixel component, particularly those with user-supplied input that is not properly sanitized before being used within the Taboola Pixel, are at risk. Shared hosting environments where multiple websites share the same Taboola Pixel installation are also potentially vulnerable, as a compromise on one site could impact others.
• wordpress / composer / npm:
grep -r '<script>' /var/www/html/wp-content/plugins/taboola-pixel/*• generic web:
curl -I https://example.com/?param=<script>alert(1)</script>• wordpress / composer / npm:
wp plugin list | grep taboola-pixeldisclosure
एक्सप्लॉइट स्थिति
EPSS
0.04% (11% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2026-32545 is to upgrade the Taboola Pixel component to version 1.1.5 or later. If immediate upgrading is not feasible, consider implementing input validation and output encoding on any user-supplied data used within the Taboola Pixel. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Carefully review and sanitize any URLs passed to the Taboola Pixel to prevent malicious script injection. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through a URL parameter and confirming that the script is not executed.
संस्करण 1.1.5 में अपडेट करें, या एक नया पैच किया गया संस्करण
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-32545 is a Reflected XSS vulnerability in Taboola Pixel, allowing attackers to inject malicious scripts via crafted URLs. It affects versions up to 1.1.4 and has a CVSS score of 7.1 (HIGH).
You are affected if you are using Taboola Pixel versions prior to 1.1.5 and have not implemented adequate input validation and output encoding.
Upgrade Taboola Pixel to version 1.1.5 or later. Implement input validation and output encoding as a temporary workaround if upgrading is not immediately possible.
There is currently no indication of active exploitation campaigns targeting CVE-2026-32545, but the vulnerability remains a potential risk.
Please refer to the official Taboola security advisory for detailed information and updates regarding CVE-2026-32545.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।