CVE-2026-1755 identifies a stored cross-site scripting vulnerability in the Menu Icons by ThemeIsle plugin for WordPress, present in all versions up to and including 0.13.20. The vulnerability stems from insufficient input sanitization and output escaping of the '_wp_attachment_image_alt' post meta field, which is used to store alternative text for images. Authenticated users with Author-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into this field. Because the injected script is stored persistently, it executes whenever any user accesses the affected page, leading to potential compromise of user sessions, theft of cookies, or execution of unauthorized actions within the context of the victim’s browser session. The vulnerability does not require user interaction but does require the attacker to have authenticated access with at least Author privileges, which is common in many WordPress multi-user environments. The CVSS 3.1 base score of 6.4 reflects medium severity, with network attack vector, low attack complexity, and no user interaction needed. The scope is changed due to the potential impact on other users viewing the injected content. No public exploit code or active exploitation has been reported yet. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those handling user-generated content or metadata. Since the plugin is widely used to enhance menu icons in WordPress sites, many websites could be affected if they have not updated or mitigated this issue.

The primary impact of this vulnerability is the compromise of confidentiality and integrity for users interacting with affected WordPress sites. Attackers with Author-level access can inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, theft of authentication tokens, defacement, or unauthorized actions performed on behalf of victims. This can undermine trust in the affected websites and lead to data breaches or further compromise of user accounts. The vulnerability does not directly affect availability but can indirectly cause service disruption if exploited to deface or manipulate site content. Organizations relying on WordPress sites with multiple user roles, especially those allowing Author-level access to contributors, are at higher risk. The scope of impact extends beyond the attacker’s account to all users viewing the injected content, increasing the potential damage. While no known exploits are currently active, the medium severity and ease of exploitation by authenticated users make timely remediation critical to prevent future attacks.

To mitigate this vulnerability, organizations should immediately update the Menu Icons by ThemeIsle plugin to a version that addresses this issue once available. In the absence of an official patch, administrators can implement strict input validation and output encoding for the '_wp_attachment_image_alt' post meta field to prevent script injection. Limiting Author-level privileges to trusted users reduces the attack surface. Employing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting this field can provide interim protection. Regularly auditing user roles and permissions to ensure minimal necessary access helps reduce risk. Additionally, monitoring logs for unusual activity related to post meta updates and scanning site content for injected scripts can aid in early detection. Educating content contributors about secure input practices and enforcing security best practices in plugin development are also recommended. Finally, backing up site data before applying changes ensures recovery capability in case of exploitation.