CVE-2026-1843 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Super Page Cache plugin for WordPress developed by optimole. This vulnerability exists due to insufficient sanitization of user-supplied input and inadequate escaping of output in the Activity Log feature of the plugin, affecting all versions up to and including 5.2.2. An unauthenticated attacker can exploit this flaw by injecting arbitrary JavaScript code into the Activity Log, which is then stored persistently. When any user, including administrators or other privileged users, views the affected page, the malicious script executes in their browser context. This can lead to session hijacking, theft of cookies or credentials, unauthorized actions performed on behalf of the user, or further exploitation of the affected site. The vulnerability is remotely exploitable over the network without any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score of 7.2 reflects these factors, with an attack vector of network, low attack complexity, no privileges required, no user interaction, and a scope change indicating that the vulnerability affects resources beyond the initially vulnerable component. Although no known exploits have been reported in the wild, the widespread use of WordPress and the plugin's popularity make this vulnerability a significant concern. The lack of available patches at the time of disclosure necessitates immediate mitigation efforts by affected organizations.

The impact of CVE-2026-1843 is substantial for organizations using the Super Page Cache plugin on WordPress sites. Successful exploitation allows attackers to execute arbitrary scripts in the context of users visiting the compromised pages, potentially leading to credential theft, session hijacking, and unauthorized administrative actions. This compromises the confidentiality and integrity of user data and site content. The vulnerability does not directly affect availability but can indirectly cause service disruptions if attackers leverage the access gained for further attacks or defacement. Given WordPress's dominant market share in content management systems globally, many organizations, including businesses, government agencies, and non-profits, are at risk. The unauthenticated nature of the exploit lowers the barrier for attackers, increasing the likelihood of widespread exploitation once public proof-of-concept code or exploits become available. The scope change in the CVSS score indicates that the vulnerability affects components beyond the plugin itself, potentially impacting other integrated systems or user sessions. Overall, this vulnerability poses a high risk to the security posture of affected WordPress sites worldwide.

To mitigate CVE-2026-1843, organizations should immediately update the Super Page Cache plugin to a patched version once available from the vendor. Until a patch is released, administrators should disable or restrict access to the Activity Log feature to prevent injection of malicious scripts. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the plugin can provide interim protection. Site administrators should review and sanitize existing Activity Log entries to remove any injected scripts. Employing Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting script execution sources. Regularly auditing plugin usage and minimizing the number of installed plugins reduces the attack surface. Monitoring web server and application logs for suspicious activity related to the plugin can help detect exploitation attempts early. Finally, educating site administrators about the risks of XSS and safe plugin management practices will improve overall security hygiene.