Description
The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 17.0.39 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-01-07
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The Multi‑column Tag Map plugin contains a stored cross‑site scripting flaw that is triggered by the admin‑visible setting ‘mctm_css_conditional’. Because the input is neither sanitized nor escaped on output, an attacker who can log into the WordPress administration interface with Administrator‑level rights can embed arbitrary JavaScript. When any user later visits a page that renders the affected option, the injected script runs in the victim’s browser, enabling activities such as phishing, cookie theft, or the insertion of additional malicious payloads. The vulnerability is limited to stored scripts; it is not an immediate remote code execution but still allows trusted users to launch client‑side attacks inside the site’s context.

Affected Systems

WordPress sites that have the Multi‑column Tag Map plugin (tugbucket) installed in versions up to and including 17.0.39. The flaw is present only on multisite deployments and on installations where the WordPress configuration disables the unfiltered_html capability, meaning that standard administrators are the primary risk group.

Risk and Exploitability

The CVSS score of 4.4 reflects a moderate impact, while the EPSS score of less than 1% indicates a low likelihood that this flaw will see widespread exploitation in the near term. Because the flaw is listed as not part of the CISA KEV catalog, it has not yet been confirmed in live attacks, though an authenticated attacker can exploit it once they gain administrator access. The attack vector is post‑authentication; thus, compromising the account of a privileged user is required, but once the script is stored it propagates to all other users visiting affected pages.

Generated by OpenCVE AI on April 20, 2026 at 21:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Multi‑column Tag Map plugin to a version newer than 17.0.39, which removes the unescaped input handling.
  • If an upgrade is not immediately possible, delete the stored value in the ‘mctm_css_conditional’ setting and re‑apply it with only safe, plain‑text content; then confirm the plugin’s options are rendered correctly.
  • Enforce the principle of least privilege by limiting which accounts have Administrator level; consider removing or demoting users who do not require such access to prevent future injection attempts.
  • Disable the unfiltered_html capability site‑wide and enforce content sanitization on all user‑generated content to reduce the impact area of similar stored XSS vulnerabilities.

Generated by OpenCVE AI on April 20, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
Description The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 17.0.39 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Multi-column Tag Map <= 17.0.39 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'mctm_css_conditional' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:25.214Z

Reserved: 2025-12-04T17:57:15.913Z

Link: CVE-2025-14057

cve-icon Vulnrichment

Updated: 2026-01-07T14:53:36.165Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:51.500

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:15:20Z

Weaknesses