MEDIUM
mutualfunddata
CVE published 2026-05-27
CVE-2026-8869
A stored cross-site scripting (XSS) vulnerability exists in the Mutual Funds Data WordPress plugin (versions up to and including 1.2.1). The flaw resides in the mfd_shortcode() function, where the 'title' shortcode attribute is concatenated directly into HTML output within a <caption> element without adequate input sanitization or output escaping. Authenticated attackers with Contributor-level access or h [truncated]