CVE-2026-1045 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 found in the Viet contact plugin for WordPress. This vulnerability affects all versions up to and including 1.3.2. It arises from improper neutralization of input during web page generation, specifically due to insufficient input sanitization and output escaping in the plugin's admin settings interface. The flaw allows an authenticated attacker with administrator-level permissions or higher to inject arbitrary JavaScript code into pages managed by the plugin. These malicious scripts are stored persistently and executed whenever any user accesses the infected page, potentially compromising user sessions or enabling further attacks such as privilege escalation or data theft. The vulnerability specifically impacts WordPress multi-site installations where the unfiltered_html capability is disabled, limiting the attack surface to environments with stricter content filtering. The CVSS v3.1 base score is 4.4 (medium severity), reflecting the need for high privileges to exploit and the absence of user interaction. No public exploits have been reported so far. The vulnerability was published on January 20, 2026, and assigned by Wordfence. Due to the nature of stored XSS, the risk includes persistent compromise of site visitors and administrators, making it a significant concern for organizations relying on this plugin in multi-site WordPress environments.

For European organizations, this vulnerability poses a moderate risk primarily in environments using WordPress multi-site configurations with the Viet contact plugin installed. Exploitation can lead to unauthorized script execution, enabling attackers to hijack user sessions, steal sensitive information, or perform actions on behalf of legitimate users. This can compromise confidentiality and integrity of data, especially in administrative contexts. Although availability impact is minimal, the persistent nature of stored XSS can facilitate further attacks and undermine trust in affected websites. Organizations in sectors such as government, finance, and e-commerce that rely on WordPress multi-site setups for managing multiple domains or subsidiaries are at higher risk. The requirement for administrator-level access limits the threat to insiders or attackers who have already breached initial defenses, but the potential damage from such exploitation remains significant. Additionally, the lack of known exploits in the wild suggests a window of opportunity for proactive mitigation before widespread attacks occur.

1. Immediately update the Viet contact plugin to a patched version once available; if no patch exists yet, consider disabling the plugin or restricting its use in multi-site environments. 2. Limit administrator-level access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 3. Review and harden WordPress multi-site configurations, ensuring that unfiltered_html capability is enabled only when necessary and monitored closely. 4. Implement Web Application Firewalls (WAF) with rules to detect and block suspicious script injections targeting the plugin's admin settings. 5. Conduct regular security audits and code reviews of custom plugins and themes to identify similar input sanitization issues. 6. Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 7. Educate administrators about the risks of stored XSS and safe content management practices. 8. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. These measures collectively reduce the likelihood of exploitation and limit the impact if an attack occurs.