CVE-2026-1300 identifies a stored Cross-Site Scripting (XSS) vulnerability in the mehtevas Responsive Header plugin for WordPress, affecting all versions up to and including 1.0. The vulnerability stems from improper neutralization of input during web page generation, specifically due to insufficient sanitization and escaping of multiple plugin settings parameters. This flaw allows authenticated attackers with administrator-level or higher privileges to inject arbitrary JavaScript code into pages generated by the plugin. The malicious scripts are stored persistently and execute in the context of any user who views the affected page, potentially compromising user sessions, stealing credentials, or performing unauthorized actions. The vulnerability is limited to multisite WordPress installations or those where the unfiltered_html capability is disabled, as these conditions affect how content filtering is applied. The CVSS v3.1 base score is 4.4, indicating medium severity, with the vector reflecting network attack vector, high attack complexity, required privileges at the administrator level, no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported, but the vulnerability poses a risk in environments where administrators manage multisite WordPress deployments using this plugin. The lack of a patch link suggests that a fix may not yet be available, emphasizing the need for cautious administrative controls and monitoring.

For European organizations, this vulnerability poses a moderate risk primarily to those operating multisite WordPress environments with the mehtevas Responsive Header plugin installed. Successful exploitation could lead to unauthorized script execution in the context of legitimate users, enabling session hijacking, credential theft, or further privilege escalation. This can compromise the confidentiality and integrity of sensitive information managed through the affected WordPress sites. Given the requirement for administrator-level access to exploit, insider threats or compromised admin accounts are the most likely vectors. The impact is heightened in sectors with strict data protection regulations such as GDPR, where data breaches can lead to significant legal and financial penalties. Additionally, organizations relying on WordPress for customer-facing portals or internal collaboration tools may face reputational damage and operational disruption if malicious scripts are injected. The vulnerability's limitation to multisite setups narrows the affected population but does not eliminate risk for large enterprises or service providers hosting multiple sites. The absence of known exploits reduces immediate threat but does not preclude targeted attacks, especially in high-value environments.

European organizations should take the following specific mitigation steps: 1) Immediately audit WordPress installations to identify multisite environments using the mehtevas Responsive Header plugin, especially versions up to 1.0. 2) If a patch becomes available, apply it promptly; in the absence of a patch, consider disabling or uninstalling the plugin to eliminate the attack surface. 3) Restrict administrator-level access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 4) Review and harden multisite configuration settings, ensuring that unfiltered_html capability is enabled only where necessary and monitored closely. 5) Implement Content Security Policy (CSP) headers to limit the impact of potential script injections. 6) Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 7) Educate administrators about the risks of stored XSS and the importance of input validation and output escaping in plugin development and configuration. 8) Consider deploying Web Application Firewalls (WAFs) with rules targeting known XSS patterns related to this plugin. These measures collectively reduce the likelihood of exploitation and limit potential damage.