Stored Cross-Site Scripting in Mandatory Field Plugin for WordPress
CVE-2026-1278

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Mandatory Field
Vendor: CVE Published:; 21 March 2026

What is CVE-2026-1278?

The Mandatory Fields plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) through its admin settings in all versions up to 1.6.8. This vulnerability arises due to inadequate input sanitization and output escaping, allowing authenticated attackers with administrator-level permissions to inject malicious web scripts. If successfully exploited, these scripts can execute whenever a user accesses a compromised page. Notably, this vulnerability specifically affects multi-site installations and those with unfiltered_html disabled, thereby increasing the risk for site administrators.

Affected Version(s)

Mandatory Field 0 <= 1.6.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://downloads.wordpress.org/plugin/mandatory-fields.1...

https://wordpress.org/plugins/mandatory-fields/

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 21, 2026
Vulnerability Reserved
Jan 20, 2026

Credit

Bhumividh Treloges

CVE-2026-1278 Data

JSON