CVE-2026-1071 is a stored cross-site scripting (XSS) vulnerability identified in the Carta Online plugin for WordPress, affecting all versions up to and including 2.13.0. The root cause is insufficient input sanitization and output escaping in the plugin's admin settings interface. This flaw allows an attacker with administrator-level permissions or higher to inject arbitrary JavaScript code that is stored persistently and executed whenever a user accesses the affected page. The vulnerability is specific to multi-site WordPress installations where the unfiltered_html capability is disabled, which normally restricts the ability to post unfiltered HTML content. Because exploitation requires authenticated access with high privileges, the attack surface is limited to trusted users or compromised administrator accounts. The vulnerability impacts the confidentiality and integrity of user sessions and data by enabling script execution in the victim's browser context, potentially leading to session hijacking, privilege escalation, or unauthorized actions. The CVSS v3.1 base score is 4.4, reflecting network attack vector, high attack complexity, required privileges, no user interaction, and partial impact on confidentiality and integrity. No public exploits have been reported, but the vulnerability remains a risk for organizations using Carta Online in multi-site WordPress environments.

The primary impact of CVE-2026-1071 is the potential for attackers with administrator privileges to execute arbitrary scripts within the context of affected users, leading to partial compromise of confidentiality and integrity. This can result in session hijacking, unauthorized actions, or data leakage. Since the vulnerability requires high privileges and affects multi-site installations with unfiltered_html disabled, the risk is limited to environments where multiple sites are managed under one WordPress instance and where strict HTML filtering is enforced. The vulnerability does not impact availability. However, if exploited, it could facilitate further attacks such as privilege escalation or lateral movement within the WordPress environment. Organizations relying on Carta Online for multi-site WordPress deployments may face increased risk of insider threats or compromised administrator accounts being leveraged to inject malicious code, potentially affecting multiple sites and users. The medium CVSS score reflects these factors, indicating a moderate but non-trivial risk.

To mitigate CVE-2026-1071, organizations should: 1) Upgrade the Carta Online plugin to a version beyond 2.13.0 once a patch is released, as no patch links are currently available. 2) Restrict administrator-level access strictly to trusted personnel and implement strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised credentials. 3) Regularly audit admin settings and plugin configurations for unauthorized or suspicious script injections. 4) Consider disabling or limiting multi-site functionality if not required, as the vulnerability specifically affects multi-site installations. 5) Monitor WordPress logs and user activity for signs of exploitation attempts or anomalous behavior. 6) Employ Content Security Policy (CSP) headers to limit the impact of injected scripts by restricting script sources. 7) Educate administrators about the risks of stored XSS and the importance of secure plugin management. These targeted measures go beyond generic advice by focusing on the specific conditions and attack vectors relevant to this vulnerability.