CVE-2025-3435: 
WordPress vulnerability analysis and mitigation

The Mang Board WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the boardheader and boardfooter parameters in versions up to and including 1.8.6. The vulnerability was discovered and disclosed on April 24, 2025. This security issue affects multi-site installations and installations where unfiltered_html has been disabled (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79. It occurs due to insufficient input sanitization and output escaping in the boardheader and boardfooter parameters. The vulnerability has been assigned a CVSS v3.1 score of 4.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N (Wordfence, NVD).

The vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts in pages. These malicious scripts will execute whenever a user accesses an injected page. The impact is limited to multi-site installations and installations where unfiltered_html has been disabled (NVD).

The vulnerability has been patched in version 1.8.7 of the Mang Board WP plugin. Users should update to this version or later to protect against this security issue (WordPress Plugin).