CVE-2026-1095 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Canto Testimonials plugin for WordPress, affecting all versions up to and including 1.0. The vulnerability arises from improper neutralization of input during web page generation, specifically due to insufficient sanitization and output escaping of the 'fx' shortcode attribute supplied by users. Authenticated attackers with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into the 'fx' attribute. Because the injected script is stored persistently, it executes whenever any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was published on January 24, 2026, and assigned by Wordfence. This issue is classified under CWE-79, which covers improper neutralization of input leading to XSS.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the Canto Testimonials WordPress plugin. Exploitation could lead to session hijacking, unauthorized actions on behalf of users, or theft of sensitive information such as authentication tokens. This is particularly concerning for organizations with Contributor-level users who can inject malicious scripts, potentially compromising site visitors or administrators. The impact is more severe for organizations relying on WordPress for customer-facing or internal portals where trust and data integrity are critical. Although availability is not affected, the confidentiality and integrity of user data and site content can be compromised, potentially damaging reputation and leading to regulatory compliance issues under GDPR if personal data is exposed. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits given time.

1. Immediately restrict Contributor-level access to trusted users only and review existing user roles to minimize the number of users who can inject content. 2. Implement manual input validation and sanitization for the 'fx' shortcode attribute if possible, using WordPress security functions like sanitize_text_field() or esc_attr() before output. 3. Monitor website content and logs for suspicious script injections or unusual activity related to the Canto Testimonials plugin. 4. If feasible, temporarily disable or remove the Canto Testimonials plugin until a vendor patch or update is released. 5. Employ Web Application Firewalls (WAFs) with rules targeting stored XSS patterns to block malicious payloads targeting the 'fx' attribute. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict content submission policies. 7. Regularly update WordPress core and plugins to the latest versions once a patch for this vulnerability is available. 8. Conduct security audits and penetration tests focusing on plugin vulnerabilities and user privilege misuse.