CVE-2026-8869 mutualfunddata CVE debrief

Who should care

WordPress site administrators using the Mutual Funds Data plugin; security teams managing WordPress installations with Contributor-level user access; web application security auditors reviewing WordPress plugin codebases.

Technical summary

The mfd_shortcode() function in mutual-funds-data.php fails to sanitize or escape the 'title' attribute before outputting it within a <caption> HTML element. This allows authenticated users with Contributor or higher privileges to inject JavaScript payloads through the shortcode's title parameter, which are then stored in post content and executed in victims' browsers when viewing the affected page. The vulnerability affects plugin versions up to and including 1.2.1.

Defensive priority

medium

Recommended defensive actions

• Update the Mutual Funds Data WordPress plugin to a version beyond 1.2.1 if available, or remove the plugin if updates are not forthcoming.
• Review existing posts and pages for suspicious shortcode usage, particularly [mutual_funds_data] shortcodes with malformed 'title' attributes containing script tags or event handlers.
• Implement Content Security Policy (CSP) headers to mitigate impact of any stored XSS payloads that may already exist in the database.
• Consider restricting Contributor-level user permissions or implementing additional content review workflows for users with post editing capabilities.
• Monitor web access logs for unusual patterns that may indicate exploitation attempts targeting the mfd_shortcode() function.

Evidence notes

Vulnerability confirmed via Wordfence security advisory and WordPress plugin source code analysis. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as primary weakness. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Official resources