WordPress Security Bulletin: MP-Ukagaka Plugin Vulnerability (CVE-2026-1643)

On this page

Security Alert Summary

The MP-Ukagaka plugin for WordPress contains a reflected Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.5.2. Insufficient input sanitization and output escaping allow an unauthenticated attacker to inject web scripts that can execute in the browser of a user who is tricked into interacting with crafted content (for example, clicking a link).


CVE Details

  • CVE ID: CVE-2026-1643
  • Affected component: MP-Ukagaka plugin for WordPress
  • Affected versions: All versions up to, and including, 1.5.2
  • Published: February 7, 2026 at 9:16 AM UTC
  • Last modified: February 7, 2026 at 9:16 AM UTC
  • CVSS v3.1: Base Score 6.1, Severity MEDIUM
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • Authentication / privileges / interaction: No privileges required (PR:N); user interaction required (UI:R)
  • Scope: Changed (S:C)
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • CWE / weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation / Cross-site Scripting)

Technical Details

The vulnerability is a reflected Cross-Site Scripting (XSS) issue caused by insufficient input sanitization and missing output escaping in the MP-Ukagaka plugin. According to the CVE description, attacker-supplied input can be reflected in pages generated by the plugin without proper encoding, allowing arbitrary script injection that executes in the context of a victim’s browser when they interact with a crafted link or payload.

The CVE references the plugin code (see References) indicating the problem occurs where user-controllable values are output without appropriate escaping. The flaw is reflected XSS, not stored XSS, so it requires an attacker to induce a user to follow a malicious link or perform a specific action that causes the injected script to run.

Impact is limited to what reflected XSS can achieve in the context of the victim user: executing scripts in the browser session of that user, which can lead to disclosure of data accessible to the user or actions performed with the user’s privileges in the browser, consistent with the CVSS impacts of low confidentiality and integrity impact.


How This Could Impact Your Website

Consider a small team managing a WordPress site: the site owner installs MP-Ukagaka, an editor publishes content, and an external contributor receives links to review. An unauthenticated attacker could craft a URL containing malicious script and send it to a contributor or editor. If that user clicks the link while authenticated to the site, the injected script could run in their browser context. Possible practical consequences include limited disclosure of information visible to that user (for example, data displayed on pages they can access) and client-side actions performed as that user in the browser.

Because the vulnerability requires user interaction and has low confidentiality and integrity impact per the CVSS data, it does not imply automatic full site compromise; however, it can noticeably increase the risk of targeted phishing or social engineering against staff or contributors. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available. (The CVE states versions up to 1.5.2 are affected.)
  • Review and reduce unnecessary user roles and privileges, especially for contributors and other non-administrative accounts.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and logs for unusual behavior, including unexpected requests or suspicious links circulating among users.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References