CVE-2026-1300 identifies a stored Cross-Site Scripting (XSS) vulnerability in the mehtevas Responsive Header plugin for WordPress, affecting all versions up to and including 1.0. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), where multiple plugin settings parameters lack sufficient input sanitization and output escaping. Authenticated attackers with administrator-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into plugin settings, which is then stored and executed whenever any user views the affected pages. This persistent XSS can lead to session hijacking, defacement, or further privilege escalation. The vulnerability specifically impacts WordPress multi-site installations or single-site installations where the unfiltered_html capability is disabled, as these configurations restrict direct HTML input, making the plugin’s insufficient sanitization a critical vector. The CVSS 3.1 base score is 4.4, reflecting network attack vector, high attack complexity, required privileges at the administrator level, no user interaction, and partial confidentiality and integrity impact without availability impact. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The issue highlights the importance of rigorous input validation and output encoding in WordPress plugins, especially those handling administrative settings in multi-site environments.

For European organizations, this vulnerability poses a moderate risk primarily to those running WordPress multi-site environments with the mehtevas Responsive Header plugin installed. Exploitation requires administrator-level access, which limits the attack surface to insiders or compromised admin accounts. However, successful exploitation can lead to persistent XSS attacks that compromise user sessions, steal sensitive data, or facilitate further attacks such as privilege escalation or malware distribution. Organizations in sectors with high reliance on WordPress multi-site deployments—such as media, education, and government—may face reputational damage and regulatory scrutiny if user data confidentiality is breached. The vulnerability’s impact on integrity and confidentiality, though limited, can disrupt trust in web services and lead to compliance violations under GDPR if personal data is exposed. Since no known exploits exist yet, proactive mitigation can prevent exploitation. The medium severity rating suggests that while the threat is not critical, it should not be ignored, especially in environments with multiple administrators or high-value targets.

1. Immediately audit WordPress installations to identify the presence of the mehtevas Responsive Header plugin, particularly in multi-site configurations. 2. Disable or remove the plugin if it is not essential to reduce the attack surface. 3. If the plugin is required, restrict administrator access strictly and monitor for unusual administrative activities. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting plugin settings parameters. 5. Educate administrators on the risks of stored XSS and enforce strong authentication and session management policies. 6. Regularly back up WordPress sites and maintain an incident response plan for potential XSS exploitation. 7. Monitor official plugin repositories and security advisories for patches or updates addressing this vulnerability and apply them promptly once available. 8. Consider deploying Content Security Policy (CSP) headers to mitigate the impact of injected scripts. 9. Review and harden WordPress capability settings, especially the unfiltered_html capability, to limit HTML input where possible. 10. Conduct periodic security assessments focusing on plugin vulnerabilities in multi-site environments.