CVE-2026-1893 identifies a stored cross-site scripting vulnerability in the Orbisius Random Name Generator plugin for WordPress, specifically in versions up to and including 1.0.2. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), where the 'btn_label' parameter in the 'orbisius_random_name_generator' shortcode is not adequately sanitized or escaped before being rendered on pages. This flaw enables authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions within the context of the victim's browser session. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacts confidentiality and integrity with no availability impact. No public exploits have been reported yet, but the risk remains significant due to the ease of exploitation by authenticated users. The plugin is widely used in WordPress environments, which are prevalent in many European organizations for content management and web presence. The lack of a current patch necessitates immediate mitigation steps to prevent exploitation.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of web applications using the affected plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, credential theft, unauthorized actions, or defacement. This can damage organizational reputation, lead to data breaches, and disrupt business operations. Since WordPress is widely adopted across Europe, especially in small and medium enterprises and public sector websites, the scope of affected systems can be significant. The vulnerability does not affect availability directly but can indirectly cause service disruptions if exploited for defacement or further attacks. Organizations with multiple contributors or less restrictive access controls are at higher risk. The absence of known exploits in the wild currently reduces immediate threat but does not eliminate the risk, especially as attackers often target known vulnerabilities in popular CMS plugins.

1. Monitor the vendor’s announcements and apply official patches or updates as soon as they become available to fix the vulnerability. 2. Until a patch is released, restrict Contributor-level and higher access to trusted users only and review user permissions to minimize risk. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns related to the 'btn_label' parameter or shortcode usage. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5. Conduct regular security audits and code reviews of custom shortcodes or plugins to ensure proper input sanitization and output escaping. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict content validation policies. 7. Consider temporarily disabling the Orbisius Random Name Generator plugin if it is not critical to operations until a secure version is available.