CVE-2026-1795 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the Address Bar Ads plugin for WordPress, developed by sivenso. This vulnerability exists in all versions up to and including 1.0.0 due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of URL path parameters. An unauthenticated attacker can craft a malicious URL containing executable JavaScript code embedded in the URL path. When a victim clicks this link, the injected script executes in the context of the vulnerable website, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or redirect the user to malicious sites. The vulnerability requires user interaction (clicking the link) but no authentication or elevated privileges. The CVSS 3.1 score of 6.1 reflects a network attack vector, low attack complexity, no privileges required, user interaction needed, and a scope change with partial confidentiality and integrity impact but no availability impact. No patches are currently linked, and no known exploits have been reported in the wild, indicating the vulnerability is newly disclosed. The CWE-79 classification confirms this is a classic reflected XSS issue. The vulnerability affects WordPress sites using the Address Bar Ads plugin, which is often used for advertising and monetization purposes, increasing the risk of exploitation on commercial and content-driven websites.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on WordPress sites with the Address Bar Ads plugin for advertising revenue or user engagement. Successful exploitation can lead to session hijacking, allowing attackers to impersonate users and access sensitive information. It can also facilitate phishing attacks by redirecting users to malicious sites or displaying fraudulent content. Data integrity may be compromised if attackers manipulate displayed content or user inputs. Although availability is not directly impacted, reputational damage and loss of user trust can result from visible defacement or data breaches. Organizations in sectors such as e-commerce, media, and financial services are particularly at risk due to the sensitive nature of their web applications and user data. The requirement for user interaction means social engineering is a key factor, making user awareness and training important. The absence of known exploits suggests a window of opportunity for proactive mitigation before widespread attacks occur.

Immediate mitigation should include disabling the Address Bar Ads plugin until a security patch is released. Organizations should monitor vendor communications for updates and apply patches promptly once available. In the interim, web application firewalls (WAFs) can be configured to detect and block suspicious URL patterns that attempt to inject scripts via the URL path. Implementing strict input validation and output encoding on all user-controllable inputs is critical to prevent script injection. Deploying Content Security Policy (CSP) headers can help restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Additionally, educating users about the risks of clicking unknown or suspicious links can reduce successful exploitation. Regular security audits and penetration testing focused on input validation and XSS vulnerabilities should be conducted. Logging and monitoring web traffic for anomalous requests can help detect attempted exploitation attempts early.