CVE-2026-34890

Vulnerability

Overview

The MSTW League Manager plugin for WordPress, versions up to and including 2.10, contains a DOM-Based Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, which allows an attacker to inject arbitrary JavaScript that executes in the victim's browser when the page is rendered [1].

Exploitation

Details

This vulnerability can be exploited over the network with low privileges (e.g., a contributor or administrator role), but successful exploitation requires user interaction—such as clicking a malicious link, visiting a crafted page, or submitting a form. Because it is DOM-based, the payload is processed client-side after the page loads, bypassing server-side filters [1].

Impact

An attacker who successfully exploits this flaw can execute arbitrary scripts in the context of the victim's browser. This can lead to redirects, injection of advertisements, theft of session cookies, or other malicious actions. The reference notes that vulnerabilities of this type are frequently used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vendor has not released a patched version beyond 2.10 at the time of publication. Users are strongly advised to update the plugin immediately if a fix becomes available. If updating is not possible, contacting the hosting provider or a web developer for assistance is recommended [1].