CVE-2026-0739 identifies a stored Cross-Site Scripting (XSS) vulnerability in the WMF Mobile Redirector plugin for WordPress, affecting all versions up to and including 1.2. The root cause is insufficient input sanitization and output escaping in the plugin's settings interface, which allows attackers with administrator privileges to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious scripts are stored persistently, they execute every time a user accesses the compromised page, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of users. Exploitation requires authenticated access with administrator-level permissions, which limits the attack vector to insiders or compromised admin accounts. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 score of 4.4 reflects a medium severity due to the requirement for high privileges (PR:H), network attack vector (AV:N), high attack complexity (AC:H), no user interaction (UI:N), and partial confidentiality and integrity impact (C:L/I:L/A:N). No public exploits have been reported yet, but the vulnerability poses a risk to sites running this plugin without proper updates or mitigations.

The primary impact of this vulnerability is the potential for stored XSS attacks that can compromise the confidentiality and integrity of user sessions and data on affected WordPress sites. Attackers with administrator access can inject malicious scripts that execute in the context of any user visiting the infected pages, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of users. Although the vulnerability does not directly affect availability, the resulting compromise can lead to reputational damage, loss of user trust, and potential regulatory consequences for organizations handling sensitive data. The requirement for administrator privileges reduces the likelihood of external exploitation but raises concerns about insider threats or compromised admin accounts. Organizations relying on the WMF Mobile Redirector plugin are at risk of targeted attacks, especially if they do not apply patches or implement compensating controls.

To mitigate this vulnerability, organizations should immediately update the WMF Mobile Redirector plugin to a version that addresses the input sanitization and output escaping issues once available. Until a patch is released, restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of account compromise. Conduct regular audits of administrator accounts and plugin settings for unauthorized changes or suspicious scripts. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the plugin's settings pages. Additionally, apply Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Educate administrators about the risks of injecting untrusted content and encourage safe plugin configuration practices. Finally, monitor logs and user activity for signs of exploitation attempts or unusual behavior related to the plugin.