CVE-2026-1074
Published: 07 March 2026
Summary
CVE-2026-1074 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-1074 is a stored cross-site scripting (XSS) vulnerability in the WP App Bar plugin for WordPress, affecting all versions up to and including 1.5. The flaw arises from insufficient input sanitization and output escaping, combined with a missing authorization check in the constructor of the App_Bar_Settings class, specifically via the 'app-bar-features' parameter. This allows arbitrary web scripts to be injected into multiple plugin settings. The vulnerability is rated with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and is associated with CWE-79 (Cross-Site Scripting).
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious scripts through the vulnerable parameter, attackers can have those scripts execute whenever any user, including administrators, accesses the plugin's admin settings page. This enables potential theft of admin session cookies, deflection to malicious sites, or further compromise of the WordPress site.
Advisories and references, including the Wordfence threat intelligence page and source code views from the WordPress plugin trac repository, highlight the exact location of the issue at line 89 in class-app-bar-settings.php across version 1.5 and the trunk. Security practitioners should consult these resources for detailed analysis and update to a patched version of the plugin beyond 1.5 to mitigate the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10125
Vulnerability details
The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'app-bar-features' parameter in all versions up to, and including, 1.5. This is due to insufficient input sanitization and output escaping combined with a missing authorization…
more
check in the `App_Bar_Settings` class constructor. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into multiple plugin settings that will execute whenever a user accesses the admin settings page.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS with unauthenticated injection directly enables exploitation of a public-facing web application (WordPress plugin).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces the missing authorization check in App_Bar_Settings, blocking unauthenticated modification of plugin settings via the vulnerable parameter.
Requires validation of the 'app-bar-features' input to reject or sanitize malicious scripts before they are stored in plugin settings.
Mandates output filtering/escaping of stored plugin settings so injected scripts cannot execute when the admin page is rendered.