Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mark O’Donnell MSTW League Manager allows DOM-Based XSS.This issue affects MSTW League Manager: from n/a through 2.10.
Published: 2026-04-02
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Patch Now
AI Analysis

Impact

Improper neutralization of user input during page generation creates a DOM‑based Cross‑Site Scripting weakness. An attacker can inject malicious JavaScript that runs in the browsers of visitors to affected pages, potentially compromising session data, defacing the site, or executing further attacks in the victim’s context. The vulnerability is classified as CWE‑79.

Affected Systems

WordPress sites that have installed Mark O’Donnell’s MSTW League Manager plugin in any version up to and including 2.10 are affected. All releases preceding 2.11 contain the flaw and remain vulnerable until patched.

Risk and Exploitability

The CVSS v3.1 base score of 6.5 signals moderate severity. EPSS data is unavailable and the flaw is not listed in the CISA KEV catalog, indicating no confirmed large‑scale exploitation to date. Based on the description, the likely attack vector is an unauthenticated visitor triggering the flaw via a crafted URL or malicious content that causes the vulnerable code to evaluate user input in the browser; no special privileges or authentication are required.

Generated by OpenCVE AI on April 2, 2026 at 17:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MSTW League Manager plugin to a version newer than 2.10 when a patch becomes available.
  • If an immediate update is not possible, disable the plugin or restrict public access to the plugin’s pages to prevent exploitation.

Generated by OpenCVE AI on April 2, 2026 at 17:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Mark O’donnell
Mark O’donnell mstw League Manager
Wordpress
Wordpress wordpress
Vendors & Products Mark O’donnell
Mark O’donnell mstw League Manager
Wordpress
Wordpress wordpress

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mark O’Donnell MSTW League Manager allows DOM-Based XSS.This issue affects MSTW League Manager: from n/a through 2.10.
Title WordPress MSTW League Manager plugin <= 2.10 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Mark O’donnell Mstw League Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-02T13:16:23.200Z

Reserved: 2026-03-31T09:57:17.719Z

Link: CVE-2026-34890

cve-icon Vulnrichment

Updated: 2026-04-02T13:16:14.891Z

cve-icon NVD

Status : Received

Published: 2026-04-02T13:16:26.207

Modified: 2026-04-02T13:16:26.207

Link: CVE-2026-34890

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:21:18Z

Weaknesses