CVE-2026-0743 identifies a stored Cross-Site Scripting (XSS) vulnerability in the WP Content Permission plugin for WordPress, specifically in versions up to and including 1.2. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. The 'ohmem-message' parameter fails to properly sanitize and escape input, allowing authenticated users with Administrator-level privileges or higher to inject arbitrary JavaScript code into web pages. This malicious script is stored persistently and executes in the context of any user who accesses the infected page, potentially leading to session hijacking, privilege escalation, or other client-side attacks. The CVSS v3.1 base score is 4.4, reflecting a medium severity level due to the requirement for high privileges (Administrator access), network attack vector, and no user interaction needed for script execution once injected. The vulnerability impacts confidentiality and integrity to a limited extent but does not affect availability. No public exploits have been reported yet, but the risk remains significant given the widespread use of WordPress and the potential for insider threats or compromised administrator accounts. The vulnerability highlights the importance of rigorous input validation and output encoding in plugin development to prevent injection flaws.

The primary impact of CVE-2026-0743 is the potential for attackers with Administrator-level access to inject persistent malicious scripts into WordPress sites using the vulnerable plugin. This can lead to unauthorized actions such as session hijacking, theft of sensitive user data, or manipulation of site content. While the vulnerability requires high privileges to exploit, it poses a risk if an attacker gains administrative access through other means (e.g., credential compromise or privilege escalation). The integrity and confidentiality of site data and user sessions are at risk, though availability is unaffected. Organizations relying on WP Content Permission may face reputational damage, data breaches, and increased risk of further attacks leveraging the injected scripts. The threat is particularly relevant for websites with multiple administrators or those that allow third-party plugin installations without strict vetting. Given WordPress's global popularity, the vulnerability could affect a broad range of industries and regions, especially those with high WordPress usage and where the plugin is installed.

To mitigate CVE-2026-0743, organizations should take the following specific actions: 1) Immediately update the WP Content Permission plugin to a patched version once available; if no patch exists, consider disabling or uninstalling the plugin temporarily. 2) Restrict Administrator-level access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 3) Implement Content Security Policy (CSP) headers to limit the impact of injected scripts by restricting the sources from which scripts can be loaded. 4) Regularly audit and monitor the 'ohmem-message' parameter and other user inputs for suspicious or unexpected content using web application firewalls (WAFs) or security plugins. 5) Conduct code reviews and security testing on custom or third-party plugins before deployment to ensure proper input validation and output encoding. 6) Educate site administrators about the risks of stored XSS and the importance of cautious plugin management. 7) Employ runtime application self-protection (RASP) tools where feasible to detect and block malicious script execution in real time.