← Back
2026-02-07 8:26CVE-2026-1643Wordfence
PUBLISHED5.2CWE-79

MP-Ukagaka <= 1.5.2 - Reflected Cross-Site Scripting

The MP-Ukagaka plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Problem type

Affected products

ariagle

MP-Ukagaka

<= 1.5.2 - AFFECTED

References

wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/14c3b53c-ba98-4e93-ba65-6da11816d7a6?source=cve

wordpress.org

https://wordpress.org/plugins/mp-ukagaka/

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/mp-ukagaka/trunk/options.php#L160

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/mp-ukagaka/tags/1.5.2/options.php#L160

GitHub Security Advisories

GHSA-h925-2p9h-xfmp

The MP-Ukagaka plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all...

https://github.com/advisories/GHSA-h925-2p9h-xfmp

The MP-Ukagaka plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-1643

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/mp-ukagaka/tags/1.5.2/options.php#L160

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/mp-ukagaka/trunk/options.php#L160

wordpress.org

https://wordpress.org/plugins/mp-ukagaka

wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/14c3b53c-ba98-4e93-ba65-6da11816d7a6?source=cve

github.com

https://github.com/advisories/GHSA-h925-2p9h-xfmp

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-1643
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-1643",
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "dateUpdated": "2026-02-07T08:26:37.091Z",
    "dateReserved": "2026-01-29T18:27:27.404Z",
    "datePublished": "2026-02-07T08:26:37.091Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence",
        "dateUpdated": "2026-02-07T08:26:37.091Z"
      },
      "title": "MP-Ukagaka <= 1.5.2 - Reflected Cross-Site Scripting",
      "descriptions": [
        {
          "lang": "en",
          "value": "The MP-Ukagaka plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
        }
      ],
      "affected": [
        {
          "vendor": "ariagle",
          "product": "MP-Ukagaka",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "*",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "1.5.2"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
              "cweId": "CWE-79",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/14c3b53c-ba98-4e93-ba65-6da11816d7a6?source=cve"
        },
        {
          "url": "https://wordpress.org/plugins/mp-ukagaka/"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mp-ukagaka/trunk/options.php#L160"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mp-ukagaka/tags/1.5.2/options.php#L160"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "timeline": [
        {
          "time": "2026-02-06T20:23:36.000+00:00",
          "lang": "en",
          "value": "Disclosed"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Abdulsamad Yusuf",
          "type": "finder"
        }
      ]
    }
  }
}