CVE-2026-3354 is a stored Cross-Site Scripting (XSS) vulnerability identified in the mooeypoo Wikilookup plugin for WordPress, affecting all versions up to and including 1.1.5. The flaw stems from improper neutralization of input during web page generation, specifically in the 'Popup Width' setting, which lacks sufficient input sanitization and output escaping. This vulnerability is exploitable only in multi-site WordPress installations where the 'unfiltered_html' capability is disabled, and requires the attacker to have authenticated Administrator-level or higher privileges. An attacker can inject arbitrary JavaScript code that is stored persistently and executed whenever any user accesses the infected page, potentially leading to session hijacking, privilege escalation, or other malicious activities. The CVSS 3.1 base score is 4.4, indicating medium severity, with the vector showing network attack vector, high attack complexity, high privileges required, no user interaction, and a scope change. No public exploits have been reported yet. The vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those used in multi-site environments where security configurations like 'unfiltered_html' are disabled. The absence of a patch link suggests that a fix may still be pending or in development.

The impact of this vulnerability is primarily on the confidentiality and integrity of data within affected WordPress multi-site environments. Since exploitation requires Administrator-level access, the threat is limited to insiders or compromised admin accounts. Successful exploitation allows injection of malicious scripts that execute in the context of other users visiting the infected pages, potentially enabling session hijacking, theft of sensitive information, or further privilege escalation. Although availability is not directly affected, the injected scripts could be used to deploy malware or redirect users to malicious sites, indirectly impacting service reliability and user trust. Organizations running multi-site WordPress installations with the mooeypoo Wikilookup plugin and disabled unfiltered_html are at risk, especially those with multiple administrators or contributors. The medium CVSS score reflects the moderate risk due to the high privilege requirement and attack complexity, but the scope change indicates that the vulnerability affects resources beyond the attacker’s initial privileges. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for future exploitation, especially if patches are delayed.

1. Monitor for and apply official patches or updates from the mooeypoo plugin developers as soon as they become available. 2. Restrict Administrator-level access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 3. For multi-site WordPress installations, review and limit the use of the 'unfiltered_html' capability to reduce attack surface. 4. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'Popup Width' setting or similar input fields. 5. Conduct regular security audits and code reviews of installed plugins, especially those that handle user input and output rendering. 6. Educate administrators about the risks of stored XSS and safe plugin configuration practices. 7. Consider isolating or disabling the Wikilookup plugin on multi-site installations if immediate patching is not feasible. 8. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the web application context. 9. Monitor logs for unusual administrator activity or unexpected changes to plugin settings that could indicate exploitation attempts.