CVE-2026-0741 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Electric Studio Download Counter plugin for WordPress. This vulnerability affects all versions up to and including 2.4. The root cause is insufficient sanitization and escaping of user input within the plugin settings interface, which allows authenticated users with Administrator-level privileges to inject arbitrary JavaScript code. When other users access pages where this malicious script is stored, the script executes in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions within the context of the victim's session. The attack vector requires network access (remote) and high privileges (administrator), with no user interaction needed for the payload to execute once injected. The vulnerability has a CVSS 3.1 base score of 4.4, reflecting medium severity due to the complexity of exploitation and limited scope of impact (confidentiality and integrity partial impact, no availability impact). No public exploits have been reported, but the vulnerability poses a risk in environments where the plugin is installed and administrators can be tricked or compromised. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugin development to prevent stored XSS attacks.

The primary impact of this vulnerability is on the confidentiality and integrity of affected WordPress sites using the Electric Studio Download Counter plugin. An attacker with administrator access can inject malicious scripts that execute in the browsers of other users, potentially leading to theft of session cookies, user credentials, or performing unauthorized actions on behalf of victims. This can result in account compromise, data leakage, or defacement of websites. Although exploitation requires administrator privileges, which limits the attack surface, insider threats or compromised admin accounts could leverage this vulnerability to escalate damage. The availability of the site is not directly affected. Organizations relying on this plugin for download tracking may face reputational damage and loss of user trust if exploited. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks, especially if the vulnerability becomes public knowledge.

To mitigate this vulnerability, organizations should first check for updates or patches from the Electric Studio plugin vendor and apply them promptly once available. In the absence of an official patch, administrators should restrict plugin settings access to only the most trusted users and monitor for unusual administrator activity. Implementing Web Application Firewall (WAF) rules to detect and block suspicious script injection patterns in plugin settings can provide temporary protection. Additionally, site owners should enforce Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly auditing installed plugins for vulnerabilities and removing unused or unmaintained plugins reduces attack surface. Educating administrators on phishing and social engineering risks can prevent privilege escalation that might enable exploitation. Finally, backing up site data frequently ensures recovery in case of compromise.