CVE-2026-1045 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Viet contact plugin for WordPress, affecting all versions up to and including 1.3.2. The root cause is improper input sanitization and output escaping in the plugin's admin settings, which allows authenticated users with administrator or higher privileges to inject arbitrary JavaScript code. This malicious code is stored persistently and executed whenever any user accesses the infected page. The vulnerability specifically affects multi-site WordPress installations or those where the unfiltered_html capability is disabled, limiting the scope of impact. The attack vector requires network access and high-level privileges (administrator or above), with no user interaction needed for the payload to execute once injected. The CVSS 3.1 base score is 4.4, indicating a medium severity level, with low confidentiality and integrity impact and no availability impact. No known public exploits have been reported, and no official patches have been released at the time of publication. The vulnerability falls under CWE-79, which covers improper neutralization of input during web page generation, a common cause of XSS vulnerabilities. This flaw could allow attackers to perform actions such as session hijacking, defacement, or redirecting users to malicious sites, but only within the constraints of the required privileges and affected configurations.

The primary impact of CVE-2026-1045 is the potential for attackers with administrator-level access to inject malicious scripts that execute in the context of users visiting the compromised pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, or distribution of malware. However, the requirement for high privileges and the limitation to multi-site or restricted unfiltered_html environments reduce the overall risk. Organizations running multi-site WordPress installations with the Viet contact plugin are at risk of internal threat actors or compromised administrators exploiting this vulnerability to escalate attacks or maintain persistence. The vulnerability does not affect availability and has limited impact on confidentiality and integrity, but it can undermine trust and lead to further exploitation if chained with other vulnerabilities. Since no public exploits are known, the immediate threat is moderate, but the potential for future exploitation exists if patches are not applied promptly.

To mitigate CVE-2026-1045, organizations should first verify if they are running multi-site WordPress installations or have disabled the unfiltered_html capability while using the Viet contact plugin version 1.3.2 or earlier. Immediate mitigation steps include restricting administrator access to trusted personnel only and auditing existing admin settings for suspicious scripts or entries. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the plugin’s admin endpoints can provide temporary protection. Monitoring logs for unusual admin activity or script injections is also recommended. Since no official patch is available yet, consider disabling or removing the Viet contact plugin if feasible until a secure version is released. Additionally, applying the principle of least privilege by limiting administrator accounts and enabling multi-factor authentication reduces the risk of exploitation. Once a patch is released, prioritize prompt updating of the plugin. Finally, educate administrators about safe input practices and the risks of stored XSS vulnerabilities.