CVE-2026-1643

Vulnerability

Overview

The MP-Ukagaka plugin for WordPress, in all versions up to and including 1.5.2, is vulnerable to Reflected Cross-Site Scripting (XSS). The root cause is insufficient input sanitization and output escaping, which allows unauthenticated attackers to inject arbitrary web scripts into pages [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link containing the injected script. The attack requires user interaction, as the victim must be tricked into clicking the link. No authentication is needed, making the attack surface broad. The plugin has been closed as of February 5, 2026, and is no longer available for download [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the affected WordPress site.

Mitigation

As the plugin is closed and no longer supported, users should immediately remove the MP-Ukagaka plugin from their WordPress installations. No patched version is available. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.