CVE-2026-3353 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Comment SPAM Wiper plugin for WordPress. The vulnerability exists in all versions up to and including 1.2.1 and specifically affects multisite WordPress installations where the unfiltered_html capability is disabled. The root cause is insufficient sanitization and escaping of the 'API Key' setting input, which allows an authenticated user with Administrator-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the vulnerability is stored, the malicious script persists in the database and executes whenever any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. Exploitation requires authenticated access with high privileges, no user interaction is needed once the script is injected, and the attack scope is limited to multisite environments with specific configuration. The CVSS 3.1 base score is 4.4 (medium severity), reflecting network attack vector, high attack complexity, required privileges, no user interaction, and partial confidentiality and integrity impact. No public exploits have been reported yet, but the vulnerability poses a risk to multisite WordPress administrators and users. The lack of patches at the time of reporting necessitates immediate attention to access controls and input validation.

The primary impact of this vulnerability is the potential for attackers with administrator privileges to inject malicious scripts that execute in the context of users visiting the affected pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential privilege escalation if combined with other vulnerabilities. Since the vulnerability affects multisite installations, a single injection could impact multiple sites within the network, amplifying the damage. The requirement for administrator-level access limits the risk to insider threats or compromised admin accounts but does not eliminate the threat. Organizations relying on WordPress multisite setups with the Comment SPAM Wiper plugin are at risk of data integrity and confidentiality breaches, which could damage reputation and lead to regulatory compliance issues. The medium severity score indicates moderate risk, but the potential for chained attacks or targeted exploitation in high-value environments increases concern.

1. Immediately restrict administrator-level access to trusted personnel only and monitor admin account activity for suspicious behavior. 2. Disable or remove the Comment SPAM Wiper plugin on multisite WordPress installations until a security patch is released. 3. Implement strict input validation and output escaping for all plugin settings, especially the 'API Key' field, to prevent script injection. 4. Enable Web Application Firewall (WAF) rules that detect and block XSS payloads targeting plugin parameters. 5. Regularly audit multisite configurations and user permissions to ensure unfiltered_html is enabled only where necessary. 6. Monitor WordPress security advisories and apply official patches or updates promptly once available. 7. Educate administrators about the risks of stored XSS and the importance of secure plugin management. 8. Consider isolating multisite environments or limiting plugin usage to reduce attack surface. 9. Conduct penetration testing focusing on plugin inputs and multisite-specific configurations to identify similar vulnerabilities.