CVE-2026-0914 identifies a stored cross-site scripting vulnerability in the WP DSGVO Tools (GDPR) plugin for WordPress, specifically within the 'lw_content_block' shortcode functionality. This vulnerability is due to improper neutralization of input during web page generation (CWE-79), where user-supplied attributes are not adequately sanitized or escaped before being rendered. As a result, an authenticated attacker with contributor-level privileges or higher can inject arbitrary JavaScript payloads into pages. These malicious scripts execute in the context of any user who views the compromised page, potentially allowing session hijacking, privilege escalation, or unauthorized actions within the WordPress site. The vulnerability affects all plugin versions up to and including 3.1.36. The CVSS v3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, requiring privileges but no user interaction, and partial impact on confidentiality and integrity, with no impact on availability. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. The vulnerability's scope is limited to sites using this specific plugin, which is designed to assist with GDPR compliance by managing legal content blocks. The flaw underscores the importance of rigorous input validation and output encoding in WordPress plugins, especially those handling user-generated content or shortcodes.

The primary impact of CVE-2026-0914 is the potential compromise of confidentiality and integrity within affected WordPress sites. Exploitation allows attackers to execute arbitrary JavaScript in the browsers of users who visit the injected pages, which can lead to session hijacking, theft of sensitive information, or unauthorized actions performed with the victim's privileges. Since the vulnerability requires contributor-level authentication, it limits exploitation to insiders or compromised accounts, reducing the attack surface. However, many WordPress sites allow contributor or higher roles for content creators, increasing risk. The vulnerability does not affect system availability directly but can undermine trust and lead to reputational damage. Organizations relying on the WP DSGVO Tools plugin for GDPR compliance may face compliance risks if attackers manipulate legal content or disclosures. The absence of known exploits in the wild suggests limited current impact, but the medium severity score indicates a meaningful risk if weaponized. The vulnerability could be leveraged as part of a broader attack chain, especially in environments with multiple users and sensitive data.

To mitigate CVE-2026-0914, organizations should first check for and apply any official plugin updates or patches once released by the vendor. In the absence of patches, administrators should restrict contributor-level access to trusted users only and audit existing contributors for suspicious activity. Implementing a web application firewall (WAF) with rules to detect and block XSS payloads targeting the 'lw_content_block' shortcode can provide temporary protection. Site owners can also manually sanitize and escape user inputs in shortcode attributes by customizing the plugin code or using WordPress hooks to filter content before rendering. Regular security reviews and monitoring for unusual script injections or content changes are recommended. Additionally, educating content contributors about safe input practices and limiting the use of shortcodes to trusted users reduces risk. Backup and incident response plans should be updated to quickly recover from any compromise. Finally, consider alternative GDPR compliance plugins with better security track records if timely patching is not feasible.