CVE-2026-0800 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin 'User Submitted Posts – Enable Users to Submit Posts from the Front End' developed by specialk. This plugin allows users to submit posts from the front end of a WordPress site, including custom fields. The vulnerability stems from insufficient sanitization and escaping of user-supplied input in these custom fields, enabling unauthenticated attackers to inject arbitrary JavaScript code into posts. When other users visit the affected pages, the malicious scripts execute in their browsers under the context of the vulnerable site, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability affects all versions up to and including 20251210. The CVSS 3.1 base score is 7.2, reflecting network attack vector, low attack complexity, no privileges or user interaction required, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable plugin. The impact includes partial confidentiality and integrity loss, but no availability impact. No patches are currently linked, and no known exploits are reported in the wild, but the vulnerability's nature and ease of exploitation make it a significant risk. The plugin’s popularity among WordPress sites, especially those allowing user-generated content, increases the attack surface. Attackers can leverage this vulnerability to conduct phishing, session hijacking, or deliver malware payloads via injected scripts.

For European organizations, the impact of CVE-2026-0800 can be substantial, particularly for those operating public-facing WordPress sites that use the affected plugin to enable user-generated content. Exploitation can lead to unauthorized disclosure of sensitive information such as session cookies or personal data, enabling account takeover or further attacks. Integrity of website content can be compromised, resulting in defacement or distribution of malicious content, which can damage organizational reputation and user trust. The vulnerability does not directly affect availability but can facilitate broader attacks that may disrupt services. Organizations in sectors like e-commerce, media, education, and government, which often rely on WordPress for content management and community engagement, are at higher risk. Additionally, compliance with GDPR and other data protection regulations may be jeopardized if personal data is exposed or manipulated through this vulnerability, potentially leading to legal and financial penalties.

European organizations should immediately audit their WordPress installations to identify the presence of the 'User Submitted Posts – Enable Users to Submit Posts from the Front End' plugin. If present, they should upgrade to a patched version once available or temporarily disable the plugin to prevent exploitation. In the absence of an official patch, organizations can implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting custom fields. Input validation and output encoding should be enforced at the application level, possibly by customizing the plugin code to sanitize inputs and escape outputs properly. Regular security scanning and monitoring for unusual activity or injected scripts on user-submitted content pages are recommended. Additionally, implementing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. User awareness training about phishing and suspicious links can reduce the risk of secondary attacks stemming from XSS exploitation.