CVE-2026-1084 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the 'Cookie consent for developers' plugin for WordPress. This vulnerability exists in all versions up to and including 1.7.1 due to insufficient input sanitization and output escaping in multiple settings fields. Authenticated attackers with administrator-level access or higher can exploit this flaw to inject arbitrary JavaScript code into pages generated by the plugin. The malicious scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious activities. The vulnerability is constrained to multi-site WordPress installations or those where the unfiltered_html capability is disabled, limiting its scope. The CVSS v3.1 base score is 4.4, reflecting a medium severity level, with an attack vector of network, high attack complexity, requiring high privileges, no user interaction, and a scope change. No public exploits have been reported yet. The vulnerability underscores the importance of proper input validation and output encoding in web applications, especially plugins that handle user-generated content or settings.

The primary impact of this vulnerability is the potential for an authenticated administrator to inject malicious scripts that execute in the context of other users visiting the affected pages. This can lead to limited confidentiality breaches, such as theft of session cookies or sensitive information accessible in the browser context, and integrity issues like unauthorized actions performed on behalf of users. Availability is not impacted. Since exploitation requires administrator privileges, the threat is somewhat mitigated by the need for high-level access, but it remains significant in environments where multiple administrators exist or where insider threats are possible. Multi-site WordPress installations, often used by large organizations or hosting providers, are particularly at risk, potentially affecting many users across sites. The lack of known exploits reduces immediate risk, but the vulnerability could be leveraged in targeted attacks or combined with privilege escalation exploits. Organizations relying on this plugin may face reputational damage, data leakage, or unauthorized administrative actions if exploited.

To mitigate CVE-2026-1084, organizations should first update the 'Cookie consent for developers' plugin to a patched version once available. Until a patch is released, administrators should restrict plugin access strictly to trusted users and minimize the number of users with administrator privileges. Implement strict input validation and output escaping on all plugin settings fields, especially those that accept HTML or script content. For multi-site installations, consider disabling or limiting the use of this plugin if feasible. Additionally, enable Content Security Policy (CSP) headers to reduce the impact of injected scripts. Regularly audit administrator accounts and monitor logs for suspicious activity. Employ web application firewalls (WAFs) with rules targeting XSS payloads related to this plugin. Finally, educate administrators about the risks of injecting untrusted content and maintain a robust patch management process to promptly apply updates.