CVE-2026-1824 is a stored cross-site scripting vulnerability identified in the Infomaniak Connect for OpenID plugin for WordPress, versions up to and including 1.0.2. The vulnerability stems from improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'endpoint_login' parameter used in the infomaniak_connect_generic_auth_url shortcode. This allows authenticated attackers with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability is classified under CWE-79 and has a CVSS 3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based (remote), requires low attack complexity, and privileges at the contributor level, with no user interaction needed. The scope is changed as the vulnerability affects multiple users due to stored script execution. No patches or known exploits are currently available, but the plugin's widespread use in WordPress environments makes this a notable risk. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in plugins handling authentication workflows.

The primary impact of CVE-2026-1824 is on the confidentiality and integrity of affected WordPress sites using the Infomaniak Connect for OpenID plugin. An attacker with Contributor-level access can inject persistent malicious scripts that execute in the context of other users, including administrators, potentially allowing theft of session cookies, credentials, or other sensitive information. This can lead to unauthorized account access, privilege escalation, and further compromise of the website or connected systems. While availability is not directly affected, the reputational damage and potential data breaches can have significant operational and legal consequences. Organizations relying on this plugin for authentication may face increased risk of targeted attacks, especially if they have multiple users with contributor or higher privileges. The vulnerability's medium severity score reflects the balance between the required privileges and the potential damage. However, the stored nature of the XSS increases risk as the malicious payload persists and affects multiple users over time.

To mitigate CVE-2026-1824, organizations should first check for and apply any official patches or updates from the Infomaniak Connect for OpenID plugin vendor once available. In the absence of patches, administrators should restrict Contributor-level access strictly to trusted users to reduce the risk of malicious script injection. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injection attempts targeting the 'endpoint_login' parameter can provide an additional layer of defense. Site owners should also audit existing content generated via the vulnerable shortcode for injected scripts and remove any malicious code. Employing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting the execution of unauthorized scripts. Developers maintaining the plugin or custom integrations should ensure proper input validation and output encoding for all user-supplied data, especially in shortcode parameters. Regular security reviews and user privilege audits will further reduce exposure to similar vulnerabilities.