Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Taboola Taboola Pixel taboola-pixel allows Reflected XSS.This issue affects Taboola Pixel: from n/a through <= 1.1.4.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‐Site Scripting (XSS)
Action: Update Plugin
AI Analysis

Impact

A reflected XSS vulnerability exists in the Taboola Pixel WordPress plugin up to version 1.1.4. The plugin fails to neutralize certain user‑controlled input before reflecting it in a generated HTML page, allowing an attacker to inject and execute arbitrary JavaScript in the victim’s browser. This can enable session hijacking, defacement, or the execution of malicious redirects, compromising user isolation and data integrity.

Affected Systems

WordPress sites that use the Taboola Pixel plugin with a version less than or equal to 1.1.4 are affected. No further operating system or WordPress version details are specified in the advisory.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium severity vulnerability. EPSS information is unavailable and the issue is not listed in the CISA KEV catalog. Because the flaw is a reflected XSS, an attacker can trigger exploitation by delivering a specially crafted URL or input to unwary users; no administrative or elevated privileges are required. While the risk per individual visitor is moderate, high traffic sites or those lacking additional content filtering may experience broader impact.

Generated by OpenCVE AI on March 25, 2026 at 23:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Taboola Pixel to the latest version (at least 1.1.5).
  • If an upgrade cannot be performed immediately, disable the Taboola Pixel plugin or restrict its usage to privileged administrators only.

Generated by OpenCVE AI on March 25, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Taboola
Taboola taboola Pixel
Wordpress
Wordpress wordpress
Vendors & Products Taboola
Taboola taboola Pixel
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Taboola Taboola Pixel taboola-pixel allows Reflected XSS.This issue affects Taboola Pixel: from n/a through <= 1.1.4.
Title WordPress Taboola Pixel plugin <= 1.1.4 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Taboola Taboola Pixel
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T20:10:14.663Z

Reserved: 2026-03-12T11:12:34.193Z

Link: CVE-2026-32545

cve-icon Vulnrichment

Updated: 2026-03-25T20:08:56.855Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:17:08.390

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32545

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:10Z

Weaknesses