CVE-2026-1843

High

Published: 14 February 2026

Published

14 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS Score 0.0015 34.7th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1843 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

SI-10 Information Input Validation

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

SI-15 Information Output Filtering

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

Why these techniques?

Stored XSS directly enables exploitation of public-facing web apps (T1190) and facilitates browser session hijacking via injected scripts (T1185).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Super Page Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Activity Log in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers…

to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Deeper analysisAI

CVE-2026-1843 is a stored cross-site scripting (XSS) vulnerability affecting the Super Page Cache plugin for WordPress in all versions up to and including 5.2.2. The flaw exists in the Activity Log feature due to insufficient input sanitization and output escaping, allowing arbitrary web scripts to be injected into pages. Published on 2026-02-14, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and is associated with CWE-79.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious scripts via the Activity Log, attackers can have those scripts execute in the browsers of any users who subsequently access the affected pages, potentially leading to session hijacking, data theft, or further compromise depending on the site's context.

Mitigation details are available in referenced advisories, including a patch in WordPress plugin trac changeset 3454474 for wp-cloudflare-page-cache and threat intelligence from Wordfence at the provided vulnerability ID. Security practitioners should update to a patched version beyond 5.2.2 and review sites using this plugin for signs of exploitation.