CVE-2026-1095 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Canto Testimonials plugin for WordPress, which is widely used for displaying customer testimonials on websites. The vulnerability exists in all versions up to and including 1.0 due to insufficient sanitization and escaping of user-supplied input in the 'fx' shortcode attribute. Specifically, authenticated users with Contributor-level permissions or higher can inject arbitrary JavaScript code into testimonial pages. Because the malicious script is stored persistently, it executes every time any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions within the context of the victim’s browser session. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security flaw. The CVSS 3.1 base score is 6.4, reflecting a medium severity level with network attack vector, low attack complexity, privileges required (Contributor or higher), no user interaction needed, and a scope change indicating that the vulnerability can affect components beyond the initially vulnerable plugin. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved and published in January 2026 by Wordfence, a reputable security vendor. This flaw poses a significant risk to WordPress sites using this plugin, especially those allowing multiple contributors or editors to add content.

The primary impact of this vulnerability is the potential for attackers with Contributor-level access to inject malicious scripts that execute in the browsers of site visitors and administrators. This can lead to session hijacking, theft of sensitive information such as authentication cookies, defacement of website content, and unauthorized actions performed on behalf of users. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who visit the compromised pages, increasing the attack surface. Organizations relying on the Canto Testimonials plugin may face reputational damage, data breaches, and unauthorized access to administrative functions. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but many WordPress sites allow contributors or editors, making this a realistic threat. The medium CVSS score reflects moderate risk, but the scope change indicates that the impact can extend beyond the plugin itself, potentially affecting the entire WordPress site and its users.

To mitigate this vulnerability, organizations should immediately restrict Contributor-level and higher user permissions to trusted individuals only, minimizing the risk of malicious script injection. Administrators should audit existing testimonial entries for suspicious or unexpected script content and remove any malicious code. Until an official patch is released, consider disabling or removing the Canto Testimonials plugin to eliminate the attack vector. Implement Web Application Firewall (WAF) rules that detect and block attempts to inject scripts via the 'fx' shortcode attribute. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. Regularly monitor logs for unusual activity related to testimonial submissions or shortcode usage. Once a patch is available, promptly update the plugin to the fixed version. Additionally, educate content contributors about safe input practices and the risks of injecting untrusted code.