Description
The Microtango plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'restkey' parameter of the mt_reservation shortcode in all versions up to, and including, 0.9.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting (XSS) allowing script execution by authenticated contributors
Action: Apply Patch
AI Analysis

Impact

The Microtango plugin permits authenticated WordPress users with Contributor or higher privileges to inject arbitrary scripts into pages through the unsanitized ‘restkey’ parameter of the mt_reservation shortcode. Injected scripts are stored and executed in the browser context of any visitor to the affected page, enabling attacks that compromise confidentiality, integrity, and availability of site content. The weakness is a classic input validation failure classified as CWE‑79.

Affected Systems

All releases of Microtango up to and including version 0.9.29 that feature the mt_reservation shortcode. The plugin is distributed through WordPress.org and used by any WordPress installation that incorporates the affected plugin.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.4, indicating moderate severity. The EPSS score is reported as less than 1 %, suggesting a low but non-zero likelihood of exploitation, and the issue is not listed in the CISA KEV catalog. Because the attack requires only authenticated Contributor‑level access, a relatively broad set of users can exploit it; however the stored nature of the XSS means that any subsequent reviewer of the affected page will experience arbitrary script execution. Exporting or re‑deploying the site without remediation does not mitigate the risk; the only reliable defense is to update or disable the affected functionality.

Generated by OpenCVE AI on April 15, 2026 at 21:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Microtango to the latest release (≥ 0.9.30) to remove the vulnerable shortcode handling.
  • If an update is not possible, delete or sanitize all instances of the mt_reservation shortcode from posts and pages.
  • Restrict or disable Contributor-level access for users who do not need the ability to edit or add content, thereby limiting the attack surface.

Generated by OpenCVE AI on April 15, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Microtango
Microtango microtango
Wordpress
Wordpress wordpress
Vendors & Products Microtango
Microtango microtango
Wordpress
Wordpress wordpress

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Microtango plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'restkey' parameter of the mt_reservation shortcode in all versions up to, and including, 0.9.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Microtango <= 0.9.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Microtango Microtango
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:54.681Z

Reserved: 2026-02-03T14:17:04.138Z

Link: CVE-2026-1821

cve-icon Vulnrichment

Updated: 2026-02-11T15:37:13.555Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T09:15:52.213

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1821

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:15:13Z

Weaknesses