CVE-2026-0741 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Electric Studio Download Counter plugin for WordPress, present in all versions up to and including 2.4. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of data entered in the plugin's settings interface. An attacker with Administrator-level privileges can inject arbitrary JavaScript code into plugin-managed pages. When other users, including administrators or site visitors, access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The attack vector requires network access (remote), high attack complexity, and privileges at the administrator level, with no user interaction needed. The vulnerability affects confidentiality and integrity but not availability. The CVSS 3.1 base score is 4.4, indicating medium severity. No public exploits or patches are currently available. The vulnerability is significant for WordPress sites using this plugin, especially those with multiple administrators or public-facing content, as injected scripts could compromise user sessions or site integrity.

For European organizations, the impact of CVE-2026-0741 can be significant in environments where the Electric Studio Download Counter plugin is deployed on WordPress sites, particularly those with multiple administrators or public-facing pages. Exploitation could lead to unauthorized disclosure of sensitive information such as authentication tokens or personal data, undermining confidentiality. Integrity of site content and administrative controls could be compromised by injected scripts, potentially enabling further attacks or defacement. Although availability is not directly affected, reputational damage and loss of user trust could result from successful exploitation. Organizations in sectors with strict data protection regulations (e.g., GDPR) may face compliance risks if user data is exposed. The requirement for administrator privileges limits the threat to insider attackers or compromised admin accounts, but the widespread use of WordPress in Europe means many organizations could be exposed. The vulnerability also poses risks to managed service providers and hosting companies supporting multiple clients.

1. Immediately restrict Administrator-level access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of privilege abuse. 2. Monitor and audit plugin settings for unauthorized or suspicious script content regularly to detect potential injections early. 3. Apply strict input validation and output escaping in plugin settings if custom modifications are possible, or disable the plugin until a vendor patch is available. 4. Consider removing or replacing the Electric Studio Download Counter plugin with alternative solutions that follow secure coding practices. 5. Keep WordPress core, themes, and all plugins updated to the latest versions to reduce exposure to known vulnerabilities. 6. Employ Content Security Policy (CSP) headers to limit the impact of injected scripts by restricting allowed script sources. 7. Educate administrators about the risks of XSS and the importance of secure plugin management. 8. Regularly back up website data and configurations to enable quick recovery in case of compromise.