CVE-2026-0743 Overview
The WP Content Permission plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the ohmem-message parameter in all versions up to, and including, 1.2. This vulnerability exists due to insufficient input sanitization and output escaping, allowing authenticated attackers with Administrator-level access to inject arbitrary web scripts into pages that execute whenever a user accesses an injected page.
Critical Impact
Attackers with administrator privileges can inject persistent malicious scripts that execute in the browsers of users visiting affected pages, potentially enabling session hijacking, credential theft, or further malware distribution.
Affected Products
- WP Content Permission plugin for WordPress versions up to and including 1.2
- WordPress installations using the vulnerable plugin versions
Discovery Timeline
- 2026-02-04 - CVE-2026-0743 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2026-0743
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability resides in the administrative interface of the WP Content Permission plugin. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The flaw occurs when user-supplied input through the ohmem-message parameter is stored in the database and subsequently rendered without proper sanitization or output encoding. While the attack requires administrator-level privileges, the stored nature of the XSS means injected scripts persist and execute for any user who views the affected page, potentially impacting lower-privileged users or other administrators.
Root Cause
The root cause of this vulnerability is the failure to properly sanitize and escape user input in the ohmem-message parameter before storing it in the database and rendering it in the HTML output. The vulnerable code can be found in admin/views/admin.php at line 74. Without proper encoding functions like esc_html() or esc_attr(), attackers can inject HTML and JavaScript code that gets executed in the context of the victim's browser session.
Attack Vector
The attack is network-based and requires the attacker to have authenticated access with Administrator-level privileges. The attacker crafts a malicious payload containing JavaScript code and submits it through the ohmem-message parameter in the plugin's administrative interface. Once stored, this payload executes whenever any user accesses the page containing the injected content.
The vulnerability affects the administrative views component of the plugin. Technical details regarding the vulnerable code location can be found in the WordPress Plugin Code Review and the Wordfence Vulnerability Report.
Detection Methods for CVE-2026-0743
Indicators of Compromise
- Unexpected JavaScript code or HTML tags within the ohmem-message configuration values
- Unusual script execution or browser behavior when accessing WP Content Permission plugin pages
- Database entries containing encoded or obfuscated script payloads in plugin-related tables
- Server logs showing administrative requests with suspicious payload patterns to plugin settings endpoints
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS payloads in requests to WordPress admin endpoints
- Monitor WordPress admin activity logs for unusual configuration changes to the WP Content Permission plugin
- Deploy browser-based Content Security Policy (CSP) headers to detect and block inline script execution
- Conduct regular security audits of plugin configurations and database content for injected scripts
Monitoring Recommendations
- Enable detailed logging for WordPress administrative actions and plugin configuration changes
- Configure alerts for modifications to the WP Content Permission plugin settings
- Implement real-time monitoring of web server logs for suspicious request patterns targeting /wp-admin/ paths
- Use security plugins that provide file integrity monitoring and configuration change detection
How to Mitigate CVE-2026-0743
Immediate Actions Required
- Review and update the WP Content Permission plugin to a patched version when available
- Audit existing ohmem-message configuration values for any injected malicious content
- Implement strict Content Security Policy headers to mitigate the impact of stored XSS
- Restrict administrator access to trusted users only and enable two-factor authentication
Patch Information
Organizations should monitor the WordPress plugin repository for an updated version of WP Content Permission that addresses this vulnerability. The vulnerable code is located in admin/views/admin.php at line 74. Additional details are available through the Wordfence Vulnerability Report.
Workarounds
- Consider temporarily disabling the WP Content Permission plugin until a patched version is available
- Implement server-side input validation and output encoding at the web server or WAF level
- Apply Content Security Policy headers to restrict inline script execution
- Limit administrative access to the WordPress installation and conduct access reviews
# Example Content Security Policy header configuration for Apache
# Add to .htaccess or Apache configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"
# For Nginx, add to server block
# add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
