CVE-2026-1300 identifies a stored Cross-Site Scripting (XSS) vulnerability in the mehtevas Responsive Header plugin for WordPress, present in all versions up to and including 1.0. The vulnerability stems from improper neutralization of input during web page generation, specifically due to insufficient sanitization and escaping of multiple plugin settings parameters. Authenticated attackers with administrator-level access or higher can exploit this vulnerability by injecting arbitrary JavaScript code into plugin settings, which is then persistently stored and executed in the context of any user accessing the affected pages. This vulnerability is particularly relevant for WordPress multi-site installations or those where the unfiltered_html capability is disabled, as these configurations allow the exploit to manifest. The attack vector requires network access and high privileges (administrator), but no user interaction is needed for the malicious script to execute once injected. The vulnerability affects confidentiality and integrity by enabling script injection that could lead to session hijacking, credential theft, or further privilege escalation within the WordPress admin environment. The CVSS 3.1 base score is 4.4, indicating medium severity, with attack complexity rated high due to the need for administrator privileges and no direct impact on availability. No patches or known exploits are currently reported, but the risk remains significant for affected environments.

The primary impact of CVE-2026-1300 is the potential for persistent Cross-Site Scripting attacks within WordPress multi-site environments using the vulnerable Responsive Header plugin. Successful exploitation could allow an attacker with administrator privileges to execute arbitrary JavaScript in the context of other administrators or users accessing the affected pages. This can lead to session hijacking, theft of sensitive data, unauthorized actions performed on behalf of other users, and potential privilege escalation. Although the vulnerability requires high privileges to exploit, the persistence of injected scripts increases the risk of lateral movement and broader compromise within the WordPress installation. Organizations relying on multi-site WordPress setups with this plugin may face increased risk of internal compromise, data leakage, and disruption of administrative operations. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often target WordPress plugins due to their widespread use. The medium CVSS score reflects moderate impact, but the scope is limited to environments with specific configurations and high-privilege attackers.

To mitigate CVE-2026-1300, organizations should first verify if they are using the mehtevas Responsive Header plugin in multi-site WordPress installations or with unfiltered_html disabled. Since no official patch is currently available, administrators should consider the following specific actions: 1) Restrict administrator access strictly to trusted personnel to reduce the risk of malicious script injection. 2) Temporarily disable or uninstall the Responsive Header plugin in multi-site environments until a patch is released. 3) Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting plugin settings parameters. 4) Regularly audit plugin settings and database entries for unexpected or suspicious script content. 5) Enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the WordPress admin interface. 6) Monitor WordPress logs and user activity for signs of exploitation attempts. 7) Once available, promptly apply vendor patches or updates addressing this vulnerability. These targeted mitigations go beyond generic advice by focusing on access control, monitoring, and temporary plugin management tailored to the vulnerability's characteristics.