CVE-2026-32455

Vulnerability

Overview

The MDTF (wp-meta-data-filter-and-taxonomy-filter) plugin for WordPress, developed by RealMag777, contains a DOM-Based Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.3.5. The issue stems from improper neutralization of user-supplied input during web page generation, specifically enabling DOM-Based XSS attacks [1].

Exploitation

Details

Exploitation requires user interaction, such as clicking a crafted link or visiting a maliciously prepared page. The vulnerability can be triggered by a privileged user, though the attack vector does not require authentication for the initial injection. The DOM-based nature means the payload executes in the victim's browser without server-side reflection, making it harder to detect via traditional filters [1].

Impact

Successful exploitation allows an attacker to inject arbitrary scripts, leading to actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, or stealing session cookies. This can compromise the integrity of the affected WordPress site and its users [1].

Mitigation

The vendor has released version 1.3.6 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].