cleantalk
Vulnerabilities and Security Researches

Microtango, CVE-2026-1821

CVE, Research URL

CVE-2026-1821

Home page URL

Security reports for Microtango

Application

Microtango

Published on
Feb 11, 2026
Research Description
The Microtango plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'restkey' parameter of the mt_reservation shortcode in all versions up to, and including, 0.9.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 0.9.30.
Status
vulnerable
Previous vulnerability researches
Post Affiliate Pro (CVE-2023-38482) , Jun 07, 2024
Post Affiliate Pro (CVE-2026-2290) , Apr 13, 2026
New vulnerability
WP Google Ad Manager Plugin (CVE-2026-1399) , Apr 15, 2026
WP Social Meta (CVE-2026-2498) , Apr 15, 2026
Allow HTML in Category Descriptions (CVE-2026-0693) , Apr 15, 2026
Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display G (CVE-2026-1916) , Apr 15, 2026
s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscription (CVE-2026-1994) , Apr 15, 2026