CVE-2026-0739 is a stored Cross-Site Scripting (XSS) vulnerability categorized under CWE-79, affecting the WMF Mobile Redirector plugin for WordPress. This vulnerability arises from improper neutralization of input during web page generation, specifically due to insufficient input sanitization and output escaping in the plugin's settings interface. Authenticated attackers with Administrator-level access can exploit this flaw by injecting arbitrary JavaScript code into plugin settings, which is then stored persistently. When any user visits a page containing the injected script, the malicious code executes in their browser context. This can lead to unauthorized actions such as session hijacking, credential theft, or further exploitation within the affected site. The vulnerability affects all versions up to and including 1.2 of the plugin. The CVSS 3.1 base score is 4.4, reflecting a network attack vector, high attack complexity, required privileges at the administrator level, no user interaction, and a scope change with limited confidentiality and integrity impact but no availability impact. No public exploits have been reported yet. The vulnerability was published on January 14, 2026, and assigned by Wordfence. The lack of patches at the time of reporting indicates that users should apply mitigations or updates once available.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the WMF Mobile Redirector plugin on WordPress. Successful exploitation can compromise the confidentiality and integrity of user sessions and data by executing malicious scripts in the context of the affected site. This can lead to theft of sensitive information, unauthorized actions performed on behalf of users, or further compromise of the web application environment. Although the attack requires administrator-level access, insider threats or compromised admin accounts could leverage this vulnerability to escalate damage. The impact on availability is negligible. Organizations with high web traffic or e-commerce platforms are at increased risk due to the potential for reputational damage and loss of customer trust. Given the widespread use of WordPress across Europe, especially in small and medium enterprises, the vulnerability could have broad implications if exploited. However, the requirement for high privileges and no known public exploits somewhat limits immediate risk.

European organizations should immediately audit their WordPress installations to identify the presence of the WMF Mobile Redirector plugin and its version. Until an official patch is released, administrators should restrict plugin access strictly to trusted personnel and consider disabling or uninstalling the plugin if it is not essential. Implementing Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting plugin settings can provide temporary protection. Regularly monitoring administrator activities and logs for unusual changes in plugin settings is advised. Organizations should also enforce strong authentication mechanisms and limit administrator accounts to reduce the risk of credential compromise. Once a patch becomes available, prompt application is critical. Additionally, educating administrators about the risks of stored XSS and safe plugin management practices will help prevent exploitation. Employing Content Security Policy (CSP) headers can mitigate the impact of injected scripts by restricting script execution sources.