{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34890", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-31T09:57:17.719Z", "datePublished": "2026-04-02T12:58:01.605Z", "dateUpdated": "2026-04-02T13:16:23.200Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-02T12:58:01.605Z"}, "title": "WordPress MSTW League Manager plugin <= 2.10 - Cross Site Scripting (XSS) vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "CAPEC-588 DOM-Based XSS"}]}], "affected": [{"vendor": "Mark O\u2019Donnell", "product": "MSTW League Manager", "collectionURL": "https://wordpress.org/plugins", "packageName": "mstw-league-manager", "versions": [{"status": "affected", "version": "n/a", "lessThanOrEqual": "2.10", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mark O\u2019Donnell MSTW League Manager allows DOM-Based XSS.This issue affects MSTW League Manager: from n/a through 2.10.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mark O\u2019Donnell MSTW League Manager allows DOM-Based XSS.<p>This issue affects MSTW League Manager: from n/a through 2.10.</p>"}]}], "tags": ["x_open-source"], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/mstw-league-manager/vulnerability/wordpress-mstw-league-manager-plugin-2-10-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"}}], "credits": [{"lang": "en", "value": "Conor Sullivan | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T13:15:44.243037Z", "id": "CVE-2026-34890", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:16:23.200Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34890", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T13:15:44.243037Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:16:14.891Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress MSTW League Manager plugin <= 2.10 - Cross Site Scripting (XSS) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Conor Sullivan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "CAPEC-588 DOM-Based XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mark O\u2019Donnell", "product": "MSTW League Manager", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "2.10"}], "packageName": "mstw-league-manager", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/mstw-league-manager/vulnerability/wordpress-mstw-league-manager-plugin-2-10-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mark O\u2019Donnell MSTW League Manager allows DOM-Based XSS.This issue affects MSTW League Manager: from n/a through 2.10.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mark O\u2019Donnell MSTW League Manager allows DOM-Based XSS.<p>This issue affects MSTW League Manager: from n/a through 2.10.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-02T12:58:01.605Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34890", "state": "PUBLISHED", "dateUpdated": "2026-04-02T13:16:23.200Z", "dateReserved": "2026-03-31T09:57:17.719Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-02T12:58:01.605Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mark O\u2019Donnell MSTW League Manager allows DOM-Based XSS.This issue affects MSTW League Manager: from n/a through 2.10."}], "id": "CVE-2026-34890", "lastModified": "2026-04-24T18:08:35.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-04-02T13:16:26.207", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/mstw-league-manager/vulnerability/wordpress-mstw-league-manager-plugin-2-10-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MSTW League Manager", "source": "cna", "vendor": "Mark O\u2019Donnell"}, "product": "mstw_league_manager", "vendor": "mark_o\u2019donnell"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-02T17:09:34.840918+00:00", "value": {"mitigation_remediation": ["Upgrade the MSTW League Manager plugin to a version newer than 2.10 when a patch becomes available.", "If an immediate update is not possible, disable the plugin or restrict public access to the plugin\u2019s pages to prevent exploitation."], "summary": {"action": "Patch Now", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed Mark O\u2019Donnell\u2019s MSTW League Manager plugin in any version up to and including 2.10 are affected. All releases preceding 2.11 contain the flaw and remain vulnerable until patched.", "description_and_impact": "Improper neutralization of user input during page generation creates a DOM\u2011based Cross\u2011Site Scripting weakness. An attacker can inject malicious JavaScript that runs in the browsers of visitors to affected pages, potentially compromising session data, defacing the site, or executing further attacks in the victim\u2019s context. The vulnerability is classified as CWE\u201179.", "risk_and_exploitability": "The CVSS v3.1 base score of 6.5 signals moderate severity. EPSS data is unavailable and the flaw is not listed in the CISA KEV catalog, indicating no confirmed large\u2011scale exploitation to date. Based on the description, the likely attack vector is an unauthenticated visitor triggering the flaw via a crafted URL or malicious content that causes the vulnerable code to evaluate user input in the browser; no special privileges or authentication are required."}}}}, "created": "2026-04-02T20:12:38.799281+00:00", "updated": "2026-04-02T20:21:18.950141+00:00", "vendors": ["mark_o\u2019donnell", "mark_o\u2019donnell$PRODUCT$mstw_league_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}