CVE-2026-0739 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WMF Mobile Redirector plugin for WordPress, affecting all versions up to and including 1.2. The vulnerability stems from improper neutralization of input during web page generation, specifically due to insufficient input sanitization and output escaping in the plugin's settings interface. An attacker with authenticated Administrator-level access can inject arbitrary JavaScript code into plugin settings, which is then stored and rendered on pages accessed by other users. This stored XSS can lead to execution of malicious scripts in the context of the victim’s browser session, potentially allowing theft of cookies, session tokens, or other sensitive information, as well as unauthorized actions on behalf of the victim. The attack vector requires network access (remote), high attack complexity due to the need for administrator privileges, and no user interaction is required for the malicious script to execute once injected. The vulnerability affects confidentiality and integrity but does not impact availability. The CVSS 3.1 base score is 4.4, reflecting medium severity. No patches or known exploits are currently available or reported. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

For European organizations, the impact of CVE-2026-0739 primarily concerns the confidentiality and integrity of data processed through WordPress sites using the WMF Mobile Redirector plugin. Successful exploitation could allow attackers to hijack user sessions, steal sensitive information, or perform unauthorized actions with the privileges of affected users. This is particularly critical for organizations relying on WordPress for customer-facing websites, intranets, or portals where administrators manage content. Although exploitation requires administrator access, insider threats or compromised administrator credentials could lead to significant damage. The vulnerability does not affect availability, so service disruption is unlikely. However, reputational damage and regulatory compliance issues (e.g., GDPR) could arise if personal data is exposed or manipulated. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially given the widespread use of WordPress in Europe.

European organizations should immediately audit their WordPress installations to identify the presence of the WMF Mobile Redirector plugin and verify its version. Since no official patches are currently available, administrators should consider the following mitigations: (1) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). (2) Review and sanitize all plugin settings inputs manually to remove any suspicious scripts. (3) Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the plugin’s settings pages. (4) Monitor logs for unusual administrator activity or changes in plugin settings. (5) Consider temporarily disabling or uninstalling the plugin if it is not essential until a patch is released. (6) Educate administrators about the risks of stored XSS and the importance of secure input handling. (7) Keep WordPress core and all plugins updated to minimize exposure to other vulnerabilities.