CVE-2026-1164 is a stored cross-site scripting (XSS) vulnerability identified in the Easy Voice Mail plugin for WordPress, developed by phoenixstudiodz. The vulnerability exists in all versions up to and including 1.2.5 and stems from insufficient input sanitization and output escaping of the 'message' parameter. This flaw allows an authenticated attacker with Administrator-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, defacement, or distribution of malware. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.1 (medium severity), with an attack vector of network, low attack complexity, no privileges required (PR:N) but user interaction required (UI:R), and a scope change (S:C). The impact affects confidentiality and integrity but not availability. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The attack requires an authenticated administrator, limiting the attack surface but still posing a significant risk in compromised or insider threat scenarios.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the Easy Voice Mail WordPress plugin. Successful exploitation could lead to unauthorized script execution in users' browsers, enabling theft of session cookies, redirection to malicious sites, or unauthorized actions performed on behalf of users. This can compromise user data confidentiality and website integrity, potentially damaging organizational reputation and trust. Since exploitation requires administrator-level access, the threat is heightened in environments where admin credentials are weak, reused, or compromised. Organizations with public-facing WordPress sites that use this plugin are particularly vulnerable, including government, educational, and commercial sectors. The impact is compounded in sectors with strict data protection regulations like GDPR, where data breaches can lead to significant fines and legal consequences. Although no known exploits are currently in the wild, the public disclosure increases the risk of future attacks, especially if attackers gain admin access through other means.

European organizations should immediately audit their WordPress installations to identify the presence of the Easy Voice Mail plugin and verify the version in use. Since no official patches are currently available, administrators should consider the following mitigations: 1) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 2) Implement web application firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the 'message' parameter. 3) Regularly monitor logs for unusual administrator activity or unexpected content changes in the plugin's pages. 4) Temporarily disable or uninstall the plugin if feasible until a patch is released. 5) Educate administrators on the risks of XSS and the importance of input validation. 6) Keep WordPress core and all plugins updated to minimize the attack surface. 7) Employ Content Security Policy (CSP) headers to restrict script execution origins, mitigating the impact of injected scripts. These measures collectively reduce the risk of exploitation while awaiting an official patch.