anonhaven
Ad

CVE-2026-1074

HIGH CVSS 3.1: 7.2 EPSS 0.06%
Updated Mar 07, 2026
WordPress
Parameter Value
CVSS 7.2 (HIGH)
Type CWE-79 (Cross-Site Scripting (XSS) (Межсайтовый скриптинг))
Vendor WordPress
Public PoC No

The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'app-bar-features' parameter in all versions up to, and including, 1.5. This is due to insufficient input sanitization and output escaping combined with a missing authorization check in the `App_Bar_Settings` class constructor. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into multiple plugin settings that will execute whenever a user accesses the admin settings page.

Attack Parameters

Attack Vector
Network
Атака возможна удалённо
Attack Complexity
Low
Легко эксплуатировать
Privileges Required
None
Права не нужны
User Interaction
None
Не нужно действие пользователя

Impact Assessment

Confidentiality
Low
Частичная утечка данных
Integrity
Low
Частичная модификация данных
Availability
None
Нет нарушения работы

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS) (Межсайтовый скриптинг)

References 3

https://plugins.trac.wordpress.org/browser/wp-app-bar/tags/1.5/includes/class-a…
security@wordfence.com
https://plugins.trac.wordpress.org/browser/wp-app-bar/trunk/includes/class-app-…
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/9b448712-b989-453f-9a…
security@wordfence.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-2433

WordPress

6.1

CVE-2026-2420

WordPress

4.4

CVE-2026-1825

WordPress

6.4

CVE-2026-1824

WordPress

6.4

CVE-2026-1823

WordPress

6.4