CVE-2026-0867 identifies a stored cross-site scripting (XSS) vulnerability in the Essential Widgets plugin for WordPress, developed by catchthemes. This vulnerability affects all versions up to and including 3.0 due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of user-supplied attributes in the plugin's shortcodes: ew-author, ew-archive, ew-category, ew-page, and ew-menu. Authenticated users with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript payloads into these shortcode attributes. When other users visit pages containing the injected shortcodes, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability was partially mitigated in version 3.0, but residual issues remain, leaving the plugin vulnerable. The CVSS v3.1 base score is 6.4, indicating medium severity, with an attack vector over the network, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability's nature and ease of exploitation by authenticated users make it a significant concern for WordPress sites using this plugin.

The stored XSS vulnerability in Essential Widgets can lead to unauthorized script execution in the context of affected WordPress sites. This can compromise user session tokens, enabling attackers to impersonate users, including administrators if they view the injected content. It can also facilitate privilege escalation, data theft, or manipulation of site content. Since contributors can inject scripts, attackers can leverage compromised contributor accounts or social engineering to gain initial access. The impact extends to site visitors and administrators, threatening confidentiality and integrity of data. While availability is not directly affected, the reputational damage and potential for further exploitation (such as malware distribution or phishing) can be severe. Organizations relying on this plugin risk data breaches, loss of user trust, and compliance violations if the vulnerability is exploited.

Organizations should immediately update the Essential Widgets plugin to the latest version once a full patch is released beyond version 3.0, as the current fix is partial. Until then, restrict contributor-level access strictly and audit existing contributor accounts for suspicious activity. Implement Web Application Firewall (WAF) rules to detect and block malicious shortcode payloads targeting the vulnerable attributes. Employ Content Security Policy (CSP) headers to limit script execution sources and reduce XSS impact. Conduct regular security reviews of installed plugins and monitor logs for unusual shortcode usage or script injection attempts. Educate content contributors about safe input practices and the risks of injecting untrusted content. Consider disabling or replacing the affected shortcodes if feasible. Finally, maintain regular backups and incident response plans to quickly recover from potential exploitation.