CVE-2026-34890
DOM-Based XSS in MSTW League Manager Allows Client-Side Attacks
Publication date: 2026-04-02
Last updated on: 2026-04-02
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mark_o_donnell | mstw_league_manager | to 2.10 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-34890 is a Cross Site Scripting (XSS) vulnerability that allows attackers to inject malicious scripts into websites, potentially compromising user data and site integrity.
Such vulnerabilities can impact compliance with standards like GDPR and HIPAA because they may lead to unauthorized access or exposure of personal or sensitive data through malicious script execution.
However, the provided information does not explicitly discuss the direct effects of this vulnerability on compliance with these regulations.
Can you explain this vulnerability to me?
CVE-2026-34890 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress MSTW League Manager Plugin versions up to and including 2.10.
This vulnerability allows attackers to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβinto websites, which execute when visitors access the compromised site.
Exploitation requires a user with at least Contributor-level privileges to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary.
The vulnerability is classified under OWASP Top 10 category A3: Injection and has a CVSS severity score of 6.5, indicating a moderate risk.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject and execute malicious scripts on your website.
These scripts can perform actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, or executing other harmful HTML payloads.
Because exploitation requires user interaction and at least Contributor-level privileges, the risk is somewhat limited but still significant.
The overall impact includes potential compromise of user data, loss of trust, and possible disruption of website functionality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a DOM-Based Cross-Site Scripting (XSS) issue affecting the MSTW League Manager WordPress plugin up to version 2.10. Detection typically involves identifying attempts to inject malicious scripts via user interactions such as clicking links, visiting crafted pages, or submitting forms.
Since the vulnerability requires user interaction and affects web page generation, detection can be approached by monitoring web server logs for suspicious input patterns or unusual query parameters that might contain script tags or encoded payloads.
Specific commands are not provided in the available resources, but general approaches include using web application scanners that detect XSS vulnerabilities or employing manual testing with payloads designed to trigger DOM-based XSS.
What immediate steps should I take to mitigate this vulnerability?
Currently, there is no official patch available for this vulnerability in the MSTW League Manager plugin.
The recommended immediate mitigation steps are to monitor for updates and apply the plugin update once a patch is released.
In the meantime, it is advised to seek assistance from hosting providers or web developers to implement rapid mitigation services or other protective measures.
Additionally, limiting user privileges to reduce the number of users with Contributor-level access can reduce the risk of exploitation.