CVE-2026-0812 is a stored Cross-Site Scripting (XSS) vulnerability identified in the LinkedIn SC plugin for WordPress, developed by guillaumev. This vulnerability affects all versions up to and including 1.1.9. The root cause is insufficient sanitization and escaping of user-supplied input in the parameters 'linkedin_sc_date_format', 'linkedin_sc_api_key', and 'linkedin_sc_secret_key'. Because these parameters are stored and later rendered in web pages, an authenticated attacker with administrator-level access or higher can inject arbitrary JavaScript code. When any user accesses the affected page, the malicious script executes in their browser context, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability requires authenticated access with high privileges, making exploitation more challenging but still feasible in compromised or insider threat scenarios. The CVSS 3.1 base score is 4.4, reflecting network attack vector, high attack complexity, required privileges, no user interaction, and partial confidentiality and integrity impact. No public exploits have been reported yet, but the vulnerability poses a risk to websites using this plugin without appropriate patches or mitigations.

The primary impact of CVE-2026-0812 is the potential for attackers with administrator privileges to inject persistent malicious scripts into WordPress sites using the LinkedIn SC plugin. This can lead to session hijacking, theft of sensitive user data, defacement, or distribution of malware to site visitors. Although exploitation requires high privileges, the vulnerability increases risk in environments where administrator accounts may be compromised or malicious insiders exist. The scope includes all users who visit the infected pages, potentially affecting site visitors, editors, and administrators. The confidentiality and integrity of user sessions and data can be partially compromised, but availability is not directly impacted. Organizations relying on this plugin for LinkedIn integration face reputational damage and potential regulatory compliance issues if user data is exposed or manipulated.

To mitigate CVE-2026-0812, organizations should immediately update the LinkedIn SC plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should restrict plugin usage to trusted personnel only and audit administrator accounts for suspicious activity. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Regularly review and sanitize all inputs related to plugin parameters, applying manual code fixes if feasible. Employ Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting the vulnerable parameters. Additionally, monitor logs for unusual administrator actions and conduct security awareness training to reduce insider threat risks. Finally, consider disabling or replacing the plugin if immediate patching is not possible.