CVE-2026-1304 identifies a stored cross-site scripting (XSS) vulnerability in the Membership Plugin – Restrict Content developed by stellarwp for WordPress. This vulnerability arises from improper neutralization of input during web page generation (CWE-79). Specifically, multiple invoice settings fields do not adequately sanitize or escape user input, allowing authenticated users with administrator-level privileges to inject arbitrary JavaScript code. This malicious code is stored persistently and executed whenever any user accesses the affected page, potentially compromising user sessions, stealing credentials, or performing unauthorized actions within the context of the victim's browser session. The vulnerability affects all versions up to and including 3.2.18. Exploitation requires authenticated access with high privileges but does not require user interaction, increasing risk within trusted admin environments. The CVSS 3.1 base score is 4.4, reflecting network attack vector, high attack complexity, required privileges, no user interaction, and limited confidentiality and integrity impact without availability effects. No public exploits or patches are currently available, emphasizing the need for proactive mitigation. The vulnerability is particularly relevant for WordPress sites using this plugin for membership management and invoicing, where administrative users manage invoice settings. Attackers leveraging this flaw could compromise site integrity and user trust by injecting malicious scripts that execute in browsers of site visitors or administrators.

For European organizations, the impact of CVE-2026-1304 can be significant, especially for those relying on WordPress-based membership or subscription services using the Membership Plugin – Restrict Content. Successful exploitation could lead to session hijacking, unauthorized access, or data theft, undermining confidentiality and integrity of user data. This could damage customer trust, lead to regulatory non-compliance under GDPR due to data breaches, and cause reputational harm. Since the vulnerability requires administrator-level access, insider threats or compromised admin accounts pose a heightened risk. The persistent nature of stored XSS means that multiple users could be affected over time, amplifying potential damage. Although availability is not directly impacted, the indirect consequences of injected scripts—such as redirecting users to malicious sites or defacing content—can disrupt business operations and customer experience. European organizations with e-commerce, membership, or subscription models are particularly vulnerable, as attackers may exploit this to gain further footholds or exfiltrate sensitive information. The medium CVSS score reflects moderate risk but should not lead to complacency given the critical role of administrative access and the potential for chained attacks.

To mitigate CVE-2026-1304, European organizations should implement several specific measures beyond generic advice: 1) Immediately audit and restrict administrator-level access to trusted personnel only, employing the principle of least privilege. 2) Monitor and log changes to invoice settings fields and other plugin configurations to detect suspicious input or unauthorized modifications. 3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block common XSS payloads targeting the plugin’s input fields. 4) Conduct manual code reviews or use automated scanning tools to verify input sanitization and output escaping in the plugin’s codebase. 5) Until an official patch is released, consider temporarily disabling or limiting the use of the vulnerable plugin features related to invoice settings. 6) Educate administrators on the risks of stored XSS and safe input handling practices. 7) Plan for rapid deployment of patches once available and test updates in staging environments to ensure no regressions. 8) Implement Content Security Policy (CSP) headers to restrict script execution sources, mitigating impact of injected scripts. 9) Regularly back up site data and configurations to enable quick recovery if exploitation occurs. These targeted actions will reduce the attack surface and limit the potential damage from exploitation.