Description
The Mang Board WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mp' parameter in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-11-08
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Mang Board WP plugin is vulnerable to reflected cross‑site scripting due to inadequate sanitization of the 'mp' request parameter. An attacker can embed malicious JavaScript into a crafted URL, which the plugin outputs without proper escaping. When a user follows the link, the script executes in their browser, potentially allowing session hijacking, defacement, or phishing attacks. The weakness is classified as CWE‑79.

Affected Systems

All installations of the Mang Board WP WordPress plugin up to and including version 2.3.1 are affected. Users running older releases of the plugin should verify their version and consider upgrading or disabling the plugin entirely.

Risk and Exploitability

The vulnerability has a CVSS score of 6.1, indicating a moderate severity, and an EPSS score of less than 1 %, suggesting a low likelihood of exploitation at this time. It is not listed in CISA’s KEV catalog. The attack vector is inferred to be an unauthenticated user visiting a specially crafted URL containing malicious payloads; the impact is confined to the victim’s browser session rather than server‑side compromise. The most probable exploitation scenario involves phishing or link‑bait campaigns targeting unsuspecting users of affected WordPress sites.

Generated by OpenCVE AI on April 22, 2026 at 12:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Mang Board WP plugin to the latest version that includes the XSS fix, or uninstall the plugin if it is not required.
  • If an update is unavailable, block or sanitize the 'mp' parameter at the application layer, ensuring it is properly escaped before rendering.
  • Deploy a web application firewall or security plugin that intercepts unexpected script input and blocks cross‑site scripting payloads.

Generated by OpenCVE AI on April 22, 2026 at 12:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 10 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 10 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 08 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Mang Board WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mp' parameter in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Mang Board WP <= 2.3.1 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:41.410Z

Reserved: 2025-10-24T20:32:48.505Z

Link: CVE-2025-12193

cve-icon Vulnrichment

Updated: 2025-11-10T14:07:29.830Z

cve-icon NVD

Status : Deferred

Published: 2025-11-08T04:15:45.223

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12193

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:30:16Z

Weaknesses