CVE-2026-1191 is a stored cross-site scripting vulnerability identified in the freemp JavaScript Notifier plugin for WordPress, affecting all versions up to and including 1.2.8. The root cause is insufficient sanitization and escaping of user-supplied input within the plugin's settings, specifically during the execution of the wp_footer action hook. This flaw allows authenticated users with administrator-level access to inject arbitrary JavaScript code that is stored persistently and executed in the context of any user visiting the affected pages. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS 3.1 base score is 4.4, reflecting a medium severity level. The vector indicates that exploitation requires network access (AV:N), high attack complexity (AC:H), high privileges (PR:H), no user interaction (UI:N), and impacts confidentiality and integrity to a low degree (C:L/I:L) without affecting availability (A:N). Although no known exploits have been reported in the wild, the vulnerability poses a risk of session hijacking, unauthorized actions, or defacement through malicious script execution. The scope is 'changed' (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. This vulnerability is particularly relevant for WordPress sites using the freemp JavaScript Notifier plugin, especially those with multiple users or public-facing interfaces. The lack of available patches necessitates immediate mitigation steps to reduce exposure.

The primary impact of CVE-2026-1191 is the potential for stored cross-site scripting attacks, which can lead to unauthorized script execution in users' browsers. This can result in session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and website defacement. Since exploitation requires administrator-level access, the risk is somewhat mitigated by the need for high privileges; however, insider threats or compromised admin accounts can leverage this vulnerability to escalate attacks. The confidentiality and integrity of user data and site content are at risk, though availability is not affected. For organizations, this can lead to reputational damage, loss of user trust, and potential regulatory consequences if user data is compromised. The vulnerability affects all installations of the freemp JavaScript Notifier plugin up to version 1.2.8, which may be widely deployed in WordPress environments globally. The medium CVSS score reflects moderate risk, but the potential for chained attacks or further exploitation increases the overall threat landscape.

To mitigate CVE-2026-1191, organizations should first check for any official patches or updates from the freemp plugin developers and apply them immediately once available. In the absence of patches, administrators should restrict plugin usage to trusted users only and limit administrator privileges to essential personnel to reduce the risk of exploitation. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the wp_footer action can provide temporary protection. Additionally, site administrators should audit plugin settings for suspicious or unexpected entries and sanitize or remove any untrusted content. Employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly monitoring logs for unusual administrator activity and conducting security reviews of installed plugins can further reduce risk. Finally, consider disabling or replacing the freemp JavaScript Notifier plugin with a more secure alternative if immediate patching is not feasible.