Cyber Resilience

CVE-2026-1074

High

Published: 07 March 2026

Published
07 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0012 30.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1074 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-1074 is a stored cross-site scripting (XSS) vulnerability in the WP App Bar plugin for WordPress, affecting all versions up to and including 1.5. The flaw arises from insufficient input sanitization and output escaping, combined with a missing authorization check in the constructor of the App_Bar_Settings class, specifically via the 'app-bar-features' parameter. This allows arbitrary web scripts to be injected into multiple plugin settings. The vulnerability is rated with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and is associated with CWE-79 (Cross-Site Scripting).

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious scripts through the vulnerable parameter, attackers can have those scripts execute whenever any user, including administrators, accesses the plugin's admin settings page. This enables potential theft of admin session cookies, deflection to malicious sites, or further compromise of the WordPress site.

Advisories and references, including the Wordfence threat intelligence page and source code views from the WordPress plugin trac repository, highlight the exact location of the issue at line 89 in class-app-bar-settings.php across version 1.5 and the trunk. Security practitioners should consult these resources for detailed analysis and update to a patched version of the plugin beyond 1.5 to mitigate the vulnerability.

EU & UK References

Vulnerability details

The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'app-bar-features' parameter in all versions up to, and including, 1.5. This is due to insufficient input sanitization and output escaping combined with a missing authorization…

more

check in the `App_Bar_Settings` class constructor. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into multiple plugin settings that will execute whenever a user accesses the admin settings page.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stored XSS with unauthenticated injection directly enables exploitation of a public-facing web application (WordPress plugin).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47873Shared CWE-79
CVE-2026-7052Shared CWE-79
CVE-2024-56060Shared CWE-79
CVE-2025-49043Shared CWE-79
CVE-2026-40038Shared CWE-79
CVE-2024-56022Shared CWE-79
CVE-2025-68889Shared CWE-79
CVE-2025-22539Shared CWE-79
CVE-2025-22286Shared CWE-79
CVE-2025-68031Shared CWE-79

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces the missing authorization check in App_Bar_Settings, blocking unauthenticated modification of plugin settings via the vulnerable parameter.

prevent

Requires validation of the 'app-bar-features' input to reject or sanitize malicious scripts before they are stored in plugin settings.

prevent

Mandates output filtering/escaping of stored plugin settings so injected scripts cannot execute when the admin page is rendered.

References