CVE-2026-0914 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WP DSGVO Tools (GDPR) plugin for WordPress, which is widely used to assist with GDPR compliance. The vulnerability exists in all versions up to and including 3.1.36 and stems from insufficient sanitization and escaping of user-supplied attributes within the plugin's 'lw_content_block' shortcode. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts. Because the malicious script is stored persistently, it executes every time any user accesses the affected page, potentially allowing attackers to hijack user sessions, steal cookies, perform actions on behalf of users, or deface websites. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector over the network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability's presence in a GDPR compliance plugin increases its attractiveness to attackers targeting European organizations. The flaw highlights the risks of improper input validation in WordPress plugins, especially those handling sensitive regulatory content.

For European organizations, this vulnerability poses significant risks due to the plugin's role in GDPR compliance, which is critical for legal and regulatory adherence. Exploitation could lead to unauthorized disclosure of sensitive information, session hijacking of users including administrators, and potential defacement or manipulation of website content. This undermines user trust and could result in regulatory penalties if personal data is compromised. Since the vulnerability requires only contributor-level access, insider threats or compromised low-privilege accounts can be leveraged to escalate attacks. The persistent nature of stored XSS means that any visitor to the infected pages is at risk, broadening the impact. Organizations relying on WordPress sites with this plugin, especially those in sectors handling personal data such as healthcare, finance, or public services, face increased exposure. Additionally, reputational damage and operational disruptions may occur if attackers leverage the vulnerability to inject phishing or malware delivery scripts.

Organizations should immediately audit their WordPress installations to identify the presence of the WP DSGVO Tools (GDPR) plugin and verify the version in use. Until an official patch is released, restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious shortcode injection. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute patterns indicative of XSS payloads. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. Regularly monitor website content for unexpected script injections or modifications. Educate content contributors about the risks of injecting untrusted content. Once a patch becomes available, apply it promptly. Additionally, consider isolating GDPR-related plugins in staging environments before production deployment to detect vulnerabilities early. Conduct periodic security assessments focusing on WordPress plugins and their input validation mechanisms.