CVE-2026-0743 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WP Content Permission plugin developed by orenhav for WordPress. This vulnerability affects all versions up to and including 1.2. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of the 'ohmem-message' parameter. An authenticated attacker with Administrator-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages managed by the plugin. When other users visit these pages, the injected scripts execute in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or escalate privileges. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). According to the CVSS v3.1 scoring, it has a base score of 4.4, reflecting medium severity due to the requirement for high privileges (PR:H) and no user interaction (UI:N). The attack vector is network-based (AV:N), and the scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. No public exploits have been reported, and no patches are currently linked, suggesting that remediation may require manual updates or vendor intervention. The vulnerability was reserved on January 8, 2026, and published on February 4, 2026. This issue primarily threatens environments where the plugin is installed and administrators have elevated privileges, emphasizing the risk of insider threats or compromised admin accounts.

For European organizations, the impact of CVE-2026-0743 can be significant, especially for those relying on WordPress sites with the WP Content Permission plugin installed. The vulnerability allows attackers with admin privileges to inject malicious scripts that execute in the context of other users, potentially leading to session hijacking, unauthorized actions, or data leakage. This can compromise the confidentiality and integrity of user data and site content. Although availability is not directly affected, the reputational damage and potential regulatory consequences under GDPR for data breaches could be substantial. Organizations in sectors such as e-commerce, media, government, and education, which often use WordPress extensively, are particularly vulnerable. The requirement for administrator-level access limits exploitation to insiders or attackers who have already compromised admin credentials, but this makes it a critical post-compromise risk. The vulnerability could also be leveraged to pivot attacks or implant persistent backdoors, increasing the overall threat landscape for affected organizations.

To mitigate CVE-2026-0743, European organizations should first verify if the WP Content Permission plugin is installed and identify the version in use. Since no official patches are currently linked, immediate steps include restricting administrator access to trusted personnel only and enforcing strong multi-factor authentication (MFA) to reduce the risk of credential compromise. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'ohmem-message' parameter can provide temporary protection. Regularly auditing plugin usage and monitoring logs for unusual admin activity is recommended. Organizations should also consider disabling or removing the plugin if it is not essential. For long-term remediation, coordinate with the plugin vendor or community for updates or patches that properly sanitize and escape inputs. Additionally, educating administrators about the risks of stored XSS and safe content management practices will help reduce exploitation chances.