Attack Vectors

CVE-2026-1843 is a High severity Stored Cross-Site Scripting (XSS) vulnerability affecting the Super Page Cache WordPress plugin (slug: wp-cloudflare-page-cache) in versions 5.2.2 and earlier. The issue is reachable over the network and does not require authentication, meaning an external attacker can attempt exploitation without logging in.

In practical terms, the attack uses the plugin’s Activity Log as the injection point. Because the malicious content is stored, it can execute later when a legitimate user views the affected page or log entry—potentially impacting administrators, editors, or other internal users who have access to those views.

Similar attacks (real examples): Stored or reflected XSS in popular WordPress plugins has been used in the past to hijack admin sessions and inject unauthorized changes. Examples include CVE-2022-21661 (Elementor), CVE-2021-24237 (Contact Form 7 Database Addon), and CVE-2019-9978 (Social Warfare).

Security Weakness

The root cause is insufficient input sanitization and output escaping in the Super Page Cache plugin’s Activity Log functionality. This weakness allows attacker-supplied content to be stored and later rendered in a way that the browser interprets as executable script.

The vulnerability is tracked as CVE-2026-1843 with a CVSS score of 7.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), reflecting that it can be triggered remotely, without privileges, and can impact users across a security boundary (scope change).

Technical or Business Impacts

For business leaders, the main risk is that a stored XSS payload can execute in the browser of someone with access to sensitive WordPress functions (often an administrator or content manager). This can lead to unauthorized actions performed under a trusted user’s session, such as changing settings, modifying content, or creating persistence through additional changes—depending on the victim’s permissions.

From a marketing and brand perspective, this can translate into site defacement, unauthorized page edits, or malicious redirects that harm campaign performance and customer trust. It may also create compliance exposure if the incident results in unauthorized access to limited sensitive data or introduces tracking/collection scripts, especially for organizations with privacy and governance obligations.

Remediation: Update Super Page Cache to version 5.2.3 or newer patched versions. Reference: Wordfence vulnerability advisory and CVE-2026-1843 record.