CVE-2026-1191 is a stored cross-site scripting (XSS) vulnerability identified in the freemp JavaScript Notifier plugin for WordPress, affecting all versions up to and including 1.2.8. The root cause is insufficient sanitization and escaping of user-supplied input within plugin settings that are processed during the wp_footer WordPress action hook. This flaw allows an attacker with administrator-level privileges to inject arbitrary JavaScript code into the plugin's stored settings. When any user accesses a page where the injected script is rendered, the malicious code executes in their browser context. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. Exploitation requires authenticated access with high privileges but does not require user interaction once the malicious script is stored. The CVSS 3.1 base score is 4.4, reflecting a medium severity level, with attack vector as network, attack complexity high, privileges required high, no user interaction, and a scope change. The impact primarily affects confidentiality and integrity, enabling potential session hijacking, credential theft, or unauthorized actions performed on behalf of users. No public exploits are currently known, but the vulnerability's presence in a widely used CMS plugin increases the risk profile. The lack of official patches at the time of disclosure necessitates immediate mitigation efforts by administrators.

For European organizations, this vulnerability can lead to unauthorized execution of malicious scripts within their WordPress sites, compromising user sessions and potentially exposing sensitive data. Since the attack requires administrator-level access, the threat is more significant in environments with weak access controls or compromised admin credentials. Exploitation could result in session hijacking, defacement, or unauthorized actions performed by attackers impersonating legitimate users. This undermines trust in affected websites and can lead to regulatory compliance issues under GDPR if personal data is exposed or manipulated. The medium severity score indicates a moderate risk, but the scope of impact can be substantial in organizations relying heavily on WordPress for public-facing or internal portals. Additionally, the stored nature of the XSS means that all visitors to an infected page are at risk, increasing the potential damage. European entities with large WordPress deployments or e-commerce platforms are particularly vulnerable to reputational and operational impacts.

1. Immediately restrict administrator access to trusted personnel and enforce strong authentication mechanisms, including multi-factor authentication (MFA). 2. Review and audit all plugin settings for suspicious or unexpected script content and remove any malicious entries. 3. Apply strict input validation and output escaping for all user-supplied data in plugin settings, ideally by updating to a patched version once available. 4. If no patch is available, consider disabling or uninstalling the freemp JavaScript Notifier plugin until a secure version is released. 5. Monitor web server and application logs for unusual activity or repeated access to wp_footer-related endpoints. 6. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 7. Conduct regular security assessments and penetration testing focusing on WordPress plugins and administrator workflows. 8. Educate administrators on the risks of stored XSS and the importance of cautious input handling within plugin configurations.