CVE-2026-1573 identifies a stored Cross-Site Scripting (XSS) vulnerability in the OMIGO plugin for WordPress, specifically in the omigo_donate_button shortcode. The vulnerability stems from insufficient sanitization and escaping of user-supplied attributes, allowing authenticated users with contributor-level or higher permissions to inject arbitrary JavaScript code into pages. When other users visit these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing actions on behalf of the victim. The vulnerability affects all versions up to and including 3.3 of the OMIGO plugin. The CVSS 3.1 score of 6.4 reflects a medium severity with a network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is considered changed (S:C) because the vulnerability can affect other users beyond the attacker. No patches or exploit code are currently publicly available, but the flaw is documented and published by Wordfence. The vulnerability is categorized under CWE-79, which covers improper neutralization of input during web page generation. This type of stored XSS is particularly dangerous in multi-user environments like WordPress sites with multiple contributors, as it enables persistent script injection that can affect all visitors to the compromised pages.

The primary impact of CVE-2026-1573 is the compromise of user confidentiality and integrity on affected WordPress sites using the OMIGO plugin. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and defacement of web content. Although availability is not directly impacted, the reputational damage and loss of user trust can be significant. Organizations relying on OMIGO for donation functionality may face financial and operational risks if attackers exploit this vulnerability to redirect donations or manipulate site behavior. The vulnerability's exploitation requires authenticated access, which limits the attack surface but still poses a serious risk in environments with multiple contributors or where contributor accounts may be compromised. The scope of impact extends beyond the attacker to all users accessing the injected pages, increasing the potential damage. Given the widespread use of WordPress globally, many organizations, including nonprofits, small businesses, and community sites, could be affected if they use this plugin without mitigation.

To mitigate CVE-2026-1573, organizations should first check for updates or patches from the OMIGO plugin vendor and apply them promptly once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only, minimizing the risk of malicious script injection. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injection attempts in shortcode attributes can provide temporary protection. Site administrators should audit existing content generated via the omigo_donate_button shortcode for injected scripts and remove any malicious code. Enforcing Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Additionally, hardening WordPress installations by disabling untrusted plugins, regularly reviewing user permissions, and monitoring logs for unusual activity will help reduce risk. Educating contributors about safe input practices and the risks of injecting scripts is also beneficial. Finally, consider isolating donation functionality or using alternative plugins with better security track records until this vulnerability is resolved.