CVE-2026-1278
Stored XSS in WordPress Mandatory Field Plugin Allows Admin Script Injection
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ketanmujumdar | mandatory-fields | to 1.6.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1278 is a Stored Cross-Site Scripting (XSS) vulnerability in the Mandatory Field plugin for WordPress, affecting all versions up to and including 1.6.8. The vulnerability exists because the plugin does not properly sanitize or escape input in its admin settings pages. This allows authenticated users with administrator-level permissions or higher to inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the injected page.
The vulnerability specifically affects multi-site WordPress installations or installations where the unfiltered_html capability has been disabled.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator-level access to inject malicious scripts into the WordPress admin pages or other pages viewed by users. These scripts can execute in the context of the victim's browser, potentially leading to theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, or further compromise of the website.
Because the vulnerability is a Stored XSS, the malicious payload persists on the site and affects any user who visits the infected page.
The CVSS score of 4.4 (medium severity) reflects that the attack requires high privileges and high attack complexity but can impact confidentiality and integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves Stored Cross-Site Scripting (XSS) via admin settings in the Mandatory Field WordPress plugin, affecting multi-site installations or those with unfiltered_html disabled. Detection involves checking for suspicious or unexpected script injections in the plugin's admin settings pages or stored options."}, {'type': 'paragraph', 'content': "Since the vulnerability requires administrator-level access to inject scripts, detection can include reviewing the plugin's stored options for malicious scripts or unusual content in the fields configured via the plugin's settings."}, {'type': 'paragraph', 'content': 'Suggested commands or steps to detect the vulnerability include:'}, {'type': 'list_item', 'content': 'Use WP-CLI to inspect plugin options for suspicious content, for example: `wp option get element_1` through `element_5` and `mand_message_custom` to check for injected scripts.'}, {'type': 'list_item', 'content': "Search the WordPress database for script tags or suspicious payloads in the options table: `SELECT option_name, option_value FROM wp_options WHERE option_name LIKE 'element_%' OR option_name = 'mand_message_custom' AND option_value LIKE '%<script>%'`."}, {'type': 'list_item', 'content': 'Monitor HTTP requests to the WordPress admin pages related to the plugin settings for unusual POST requests that include script payloads.'}, {'type': 'list_item', 'content': 'Check for unexpected JavaScript execution or alerts when accessing pages that use the mandatory fields plugin settings.'}] [1, 4, 5]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for this vulnerability include:
- Restrict administrator access to trusted users only, as exploitation requires administrator-level permissions.
- Disable or uninstall the Mandatory Field plugin until a patched version is available, especially on multi-site installations or where unfiltered_html is disabled.
- Review and sanitize all inputs in the plugin settings to remove any injected scripts or malicious content.
- Apply strict input validation and output escaping in the plugin code if you maintain a custom or patched version.
- Monitor and audit logs for suspicious activity related to plugin settings changes.
- Keep WordPress core and all plugins updated, and follow security advisories for this plugin.