CVE-2026-0800 is a stored cross-site scripting vulnerability classified under CWE-79, found in the WordPress plugin 'User Submitted Posts – Enable Users to Submit Posts from the Front End' developed by specialk. This plugin allows users to submit posts from the front end of a WordPress site, including custom fields. The vulnerability stems from insufficient input sanitization and lack of proper output escaping of these custom fields, enabling unauthenticated attackers to inject arbitrary JavaScript code. When a user visits a page containing the injected script, the malicious code executes in their browser context, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the user. The vulnerability affects all plugin versions up to and including 20251210. The CVSS v3.1 base score is 7.2, reflecting network attack vector, low attack complexity, no privileges or user interaction required, and a scope change due to impact on other components. The vulnerability does not impact availability but affects confidentiality and integrity. No official patches or fixes have been linked yet, and no known exploits are reported in the wild. However, the public disclosure and severity necessitate immediate attention from site administrators using this plugin.

The impact of CVE-2026-0800 is significant for organizations using the affected WordPress plugin, especially those allowing user-generated content via front-end submissions. Successful exploitation can lead to session hijacking, unauthorized actions performed on behalf of users, defacement of websites, and redirection to malicious or phishing sites. This can damage organizational reputation, lead to data breaches, and potentially facilitate further attacks such as credential theft or malware distribution. Since the vulnerability requires no authentication or user interaction, it can be exploited by remote attackers at scale, increasing risk for high-traffic websites. E-commerce, financial, healthcare, and government websites using this plugin are particularly at risk due to the sensitivity of their data and regulatory requirements. Additionally, compromised sites can be used as platforms for broader attacks against their visitors or partners.

1. Immediate mitigation involves disabling the 'User Submitted Posts – Enable Users to Submit Posts from the Front End' plugin until a patch is available. 2. Monitor official vendor channels and WordPress plugin repositories for updates or patches addressing this vulnerability and apply them promptly. 3. Implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting the custom fields of this plugin. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 5. Conduct thorough input validation and output encoding on all user-submitted content, especially custom fields, to prevent script injection. 6. Regularly audit and sanitize existing user-submitted content to remove any malicious scripts that may have been injected prior to mitigation. 7. Educate site administrators and developers about secure coding practices related to user input handling. 8. Consider alternative plugins with better security track records if immediate patching is not feasible.