CVE-2026-1573 is a stored Cross-Site Scripting (XSS) vulnerability identified in the OMIGO plugin for WordPress, specifically within the `omigo_donate_button` shortcode. This vulnerability stems from insufficient sanitization and escaping of user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the injected scripts are stored persistently, they execute every time a user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability affects all versions of OMIGO up to and including 3.3. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change. While no public exploits are currently known, the vulnerability poses a significant risk in environments where multiple users have contributor or higher roles. The scope change indicates that the vulnerability can affect components beyond the initially vulnerable plugin, potentially impacting the broader WordPress site. The vulnerability was reserved in late January 2026 and published in early February 2026. The lack of available patches at the time of reporting necessitates immediate mitigation steps by administrators. This vulnerability is categorized under CWE-79, which covers improper neutralization of input during web page generation, a common vector for XSS attacks.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on WordPress sites with multiple authenticated contributors, such as news outlets, NGOs, educational institutions, and e-commerce platforms. Exploitation could lead to session hijacking, unauthorized actions performed on behalf of users, defacement, or distribution of malware through injected scripts. This can damage organizational reputation, lead to data breaches involving user credentials or personal data, and cause operational disruptions. Given the medium CVSS score and the requirement for contributor-level access, the risk is elevated in environments with less stringent user role management or where contributor accounts are shared or compromised. The scope change implies that the vulnerability could affect other components or plugins interacting with OMIGO, potentially broadening the impact. Additionally, compliance with GDPR and other European data protection regulations may be jeopardized if personal data is exposed or compromised through this vulnerability. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

1. Immediately restrict contributor-level and higher access to trusted users only, and audit existing user roles for unnecessary privileges. 2. Disable or remove the OMIGO plugin if it is not essential to reduce attack surface. 3. Monitor WordPress sites for unusual script injections or unexpected behavior on pages using the `omigo_donate_button` shortcode. 4. Implement Web Application Firewall (WAF) rules to detect and block malicious script payloads targeting the shortcode parameters. 5. Apply strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 6. Regularly update the OMIGO plugin once a patch is released by the vendor. 7. Educate site administrators and contributors about the risks of XSS and safe content practices. 8. Conduct security scans and penetration tests focusing on stored XSS vulnerabilities in WordPress environments. 9. Use security plugins that can sanitize inputs and outputs or provide additional filtering for shortcodes. 10. Maintain regular backups to enable quick restoration if an attack occurs.