CVE-2026-1373 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Easy Author Image plugin for WordPress, developed by lawsonry. The vulnerability arises from improper neutralization of input during web page generation, specifically through the 'author_profile_picture_url' parameter. This parameter lacks sufficient input sanitization and output escaping, allowing authenticated users with Subscriber-level access or higher to inject arbitrary JavaScript code that is stored persistently within the plugin's data. When any user accesses a page containing the injected script, the malicious code executes in their browser context. This can lead to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the victim user. The vulnerability affects all versions up to and including 1.7 of the plugin. The CVSS v3.1 score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (authenticated user), no user interaction, and a scope change (impacting other components beyond the vulnerable plugin). The vulnerability compromises confidentiality and integrity but does not impact availability. No public exploits have been reported yet. The flaw is classified under CWE-79, which is a common and well-understood web application security issue. The plugin is used in WordPress environments, which are widely deployed for content management and publishing.

For European organizations, this vulnerability poses a significant risk to websites using the Easy Author Image plugin, especially those with multiple authenticated users such as content creators or subscribers. Exploitation can lead to unauthorized script execution, enabling attackers to hijack user sessions, steal credentials, or manipulate site content. This undermines user trust and can result in data breaches or reputational damage. Since WordPress powers a substantial portion of European websites, including government, educational, and commercial sectors, the potential impact is broad. The vulnerability's requirement for authenticated access limits exposure but does not eliminate risk, as subscriber-level accounts are common. The scope change in the CVSS vector indicates that the attack can affect components beyond the plugin itself, potentially compromising other parts of the website or user data. Although no known exploits exist currently, the medium severity and ease of exploitation warrant proactive mitigation to prevent future attacks.

1. Monitor for and apply official patches or updates from the lawsonry Easy Author Image plugin as soon as they are released. 2. In the absence of patches, restrict user roles and permissions to minimize the number of users with Subscriber-level or higher access, especially on sites with untrusted users. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'author_profile_picture_url' parameter. 4. Employ additional server-side input validation and output encoding for all user-supplied data, particularly in custom themes or plugins interacting with Easy Author Image. 5. Conduct regular security audits and penetration tests focusing on XSS vulnerabilities in WordPress environments. 6. Educate content editors and users about the risks of XSS and encourage reporting of unusual site behavior. 7. Consider disabling or replacing the Easy Author Image plugin with alternatives that have better security track records if immediate patching is not feasible.