CVE-2026-1804 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WDES Responsive Popup plugin for WordPress, maintained by master-buldog. The flaw exists in all versions up to and including 1.3.6 and arises from improper neutralization of input during web page generation, specifically within the 'wdes-popup-title' shortcode. This shortcode accepts user-supplied attributes that are insufficiently sanitized and escaped before being rendered on pages. Authenticated attackers with contributor-level access or higher can exploit this by injecting arbitrary JavaScript code into the shortcode attribute. Because the injection is stored, the malicious script executes every time any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (contributor or above), no user interaction, and scope change. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors. The lack of available patches at the time of reporting necessitates immediate mitigation steps to reduce exposure.

For European organizations, this vulnerability can lead to unauthorized script execution on their WordPress-powered websites, potentially resulting in session hijacking, defacement, phishing, or unauthorized actions performed by compromised user sessions. Organizations that allow contributor-level access to multiple users increase the risk surface. The impact includes loss of confidentiality (user data exposure), integrity (content manipulation), and reputational damage. Since WordPress is widely used across Europe for corporate, governmental, and media websites, exploitation could disrupt services or erode user trust. The vulnerability does not directly affect availability but could indirectly cause service disruptions if exploited for defacement or injected malware. Sensitive sectors such as finance, healthcare, and public administration are particularly at risk due to the potential for data leakage or manipulation.

1. Immediately audit and restrict contributor-level access to trusted users only, minimizing the number of users who can exploit this vulnerability. 2. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs containing script tags or JavaScript payloads. 3. Monitor WordPress logs and shortcode usage for unusual patterns or unexpected script injections. 4. Disable or remove the WDES Responsive Popup plugin if it is not essential to reduce attack surface. 5. Apply input validation and output escaping manually if custom modifications are possible, ensuring all shortcode attributes are sanitized. 6. Stay alert for official patches or updates from the plugin vendor and apply them promptly once released. 7. Educate content contributors about safe content practices and the risks of injecting scripts. 8. Regularly back up website content to enable quick restoration in case of compromise.