CVE-2026-1804 identifies a stored cross-site scripting vulnerability in the WDES Responsive Popup plugin for WordPress, specifically in the handling of the 'wdes-popup-title' shortcode. This vulnerability is due to insufficient sanitization and escaping of user-supplied input, allowing malicious JavaScript code to be stored persistently within the site content. An attacker with contributor-level privileges or higher can exploit this by injecting arbitrary scripts into popup titles, which then execute in the browsers of any users who visit the affected pages. This compromises the confidentiality and integrity of user sessions and data, potentially enabling cookie theft, privilege escalation, or redirection to malicious sites. The vulnerability affects all versions up to and including 1.3.6. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, requiring privileges but no user interaction, with a scope change and limited confidentiality and integrity impact but no availability impact. No patches are currently linked, and no active exploitation is reported, but the risk remains significant due to the widespread use of WordPress and the plugin's functionality.

The impact of this vulnerability is primarily on the confidentiality and integrity of affected WordPress sites and their users. Attackers can execute arbitrary scripts in the context of the vulnerable site, potentially stealing session cookies, defacing content, or performing actions on behalf of other users. This can lead to unauthorized access, data leakage, and reputational damage. Since the vulnerability requires contributor-level access, the risk is higher in environments where multiple users have such privileges or where account compromise is possible. The scope change means the vulnerability can affect components beyond the initially compromised area, increasing the attack surface. Organizations relying on this plugin for user interaction or marketing popups may face disruption and loss of user trust if exploited.

Organizations should immediately audit their WordPress installations for the presence of the WDES Responsive Popup plugin and verify the version in use. If an updated version addressing this vulnerability is released, prompt patching is essential. In the absence of an official patch, administrators should consider disabling or uninstalling the plugin to eliminate the risk. Additionally, review user roles and permissions to restrict contributor-level access to trusted users only. Implement web application firewalls (WAFs) with rules to detect and block malicious script injections targeting the affected shortcode. Employ content security policies (CSP) to limit the execution of unauthorized scripts. Regularly scan the website for injected scripts and suspicious content. Educate content contributors about safe input practices and monitor logs for unusual activity indicative of exploitation attempts.