Attack Vectors
CVE-2026-1071 is a Medium-severity stored cross-site scripting (XSS) vulnerability affecting the WordPress plugin Carta Online (slug: carta-online) in versions up to and including 2.13.0. The issue occurs through the plugin’s administrator-accessible settings, where an authenticated user with Administrator (or higher) privileges could insert malicious script content that is later stored by the site.
Because it is stored XSS, the injected code can execute whenever someone loads the affected admin page or any page where the stored content is rendered. The vulnerability is network-reachable and does not require the victim to click anything (UI:N), but it does require a higher-privileged authenticated account and has higher attack complexity (AC:H).
Important scope note: this vulnerability only affects WordPress multi-site installations and installations where unfiltered_html has been disabled. If your environment does not match those conditions, your exposure may be reduced—but it should still be assessed rather than assumed.
Security Weakness
The root cause is insufficient input sanitization and output escaping in Carta Online’s plugin settings handling. In practical terms, the plugin may accept and store unsafe content in its settings, and later display that content in a way that allows scripts to run in the viewer’s browser.
This is particularly relevant for leadership and compliance teams because it represents a breakdown in a basic application control: trusted administrative inputs are not always safe. If an admin account is misused (by an insider, compromised credentials, or over-provisioned access), stored XSS can become a stepping stone to broader misuse of the WordPress environment.
Severity is rated Medium (CVSS 4.4; vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N), reflecting that an attacker needs elevated privileges, but the impact can cross security boundaries (Scope: Changed) and affect confidentiality and integrity at a limited level.
Technical or Business Impacts
From a business-risk perspective, stored XSS can undermine trust in your website and brand by enabling unauthorized content changes, misleading interface elements, or hidden scripts that run for anyone who views the affected pages. This is especially concerning for organizations using WordPress as a customer-facing channel, investor communication hub, or regulated information platform.
Potential impacts include unauthorized changes to displayed content, information exposure in the context of the affected pages, and workflow disruption for marketing and web operations teams who must investigate and clean up injected content. Even if the attack is limited to admin-accessible areas, it can still damage governance and oversight by altering what internal teams see and approve.
This vulnerability has no known patch available at the time of reporting. Given that, risk decisions should be based on your organization’s tolerance and operational constraints. Practical mitigation steps may include: restricting administrator access to the smallest necessary group, reviewing and reducing who can modify plugin settings, increasing monitoring of administrative changes, and—where the business impact warrants it—uninstalling Carta Online and replacing it with an alternative product.
For reference, the CVE record is available here: https://www.cve.org/CVERecord?id=CVE-2026-1071, and the source advisory is here: https://www.wordfence.com/threat-intel/vulnerabilities/id/1e82c950-54dd-4bdf-9c7c-e880c934ddc9.
Similar Attacks
Stored XSS in WordPress plugins is a recurring risk pattern, particularly when settings pages accept rich text or custom HTML. Here are a few real-world examples of plugin-related XSS disclosures to illustrate how common this class of issue is:
Elementor Pro vulnerability coverage (Wordfence)
Recent Comments