CVE-2026-1045 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Viet contact plugin for WordPress, versions up to and including 1.3.2. The vulnerability arises from improper input sanitization and insufficient output escaping in the plugin's admin settings interface, allowing authenticated users with administrator-level permissions or higher to inject arbitrary JavaScript code. This injected code is stored persistently and executed whenever any user accesses the affected page, enabling potential attacks such as session hijacking, privilege escalation, or distribution of malware. The vulnerability specifically affects multi-site WordPress installations where the unfiltered_html capability is disabled, limiting the scope of impact. The CVSS 3.1 base score is 4.4 (medium severity), with vector AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N, indicating network attack vector, high attack complexity, required high privileges, no user interaction, and partial impact on confidentiality and integrity with no availability impact. No patches or known exploits are currently available, and the vulnerability was published on January 20, 2026. The issue stems from CWE-79, highlighting improper neutralization of input during web page generation. The vulnerability's exploitation requires authenticated administrative access, which reduces the likelihood of widespread exploitation but poses a significant risk if an attacker gains such access.

For European organizations, the impact of CVE-2026-1045 depends largely on the prevalence of the Viet contact plugin in multi-site WordPress deployments. Organizations running multi-site WordPress environments with this plugin and disabled unfiltered_html are at risk of persistent XSS attacks that can compromise user sessions, steal sensitive data, or facilitate further attacks such as privilege escalation or malware distribution. This can lead to reputational damage, data breaches, and compliance violations under GDPR if personal data is exposed. The requirement for administrator-level access limits the threat to scenarios where internal accounts are compromised or malicious insiders act. However, given the widespread use of WordPress in Europe, especially among SMEs and public sector entities, the vulnerability could be leveraged in targeted attacks against high-value websites. The multi-site context increases the potential blast radius, as multiple sites under one installation can be affected simultaneously. The medium severity score reflects a moderate risk but should not be underestimated in environments with lax access controls or insufficient monitoring.

1. Immediate mitigation involves upgrading the Viet contact plugin to a version that addresses this vulnerability once available. Since no patch links are currently provided, organizations should monitor vendor announcements closely. 2. Restrict administrator-level access strictly to trusted personnel and enforce strong authentication mechanisms such as MFA to reduce the risk of credential compromise. 3. For multi-site WordPress installations, review and consider enabling the unfiltered_html capability if operationally feasible, as the vulnerability requires it to be disabled. 4. Implement Web Application Firewalls (WAF) with custom rules to detect and block suspicious script injection attempts in admin settings. 5. Conduct regular security audits and code reviews of installed plugins to identify and remediate insecure input handling. 6. Monitor logs for unusual administrator activity or unexpected changes in plugin settings. 7. Educate administrators about the risks of XSS and safe plugin management practices. 8. Consider isolating multi-site installations or limiting plugin usage to reduce attack surface. 9. Employ Content Security Policy (CSP) headers to mitigate the impact of injected scripts if exploitation occurs. These steps collectively reduce the likelihood and impact of exploitation beyond generic patching advice.