{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1074", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-16T20:22:03.551Z", "datePublished": "2026-03-07T07:22:06.543Z", "dateUpdated": "2026-04-08T17:11:14.041Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:14.041Z"}, "affected": [{"vendor": "ryscript", "product": "WP App Bar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'app-bar-features' parameter in all versions up to, and including, 1.5. This is due to insufficient input sanitization and output escaping combined with a missing authorization check in the `App_Bar_Settings` class constructor. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into multiple plugin settings that will execute whenever a user accesses the admin settings page."}], "title": "WP App Bar <= 1.5 - Unauthenticated Stored Cross-Site Scripting via 'app-bar-features' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b448712-b989-453f-9acb-5556e01e41a4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-app-bar/trunk/includes/class-app-bar-settings.php#L89"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-app-bar/tags/1.5/includes/class-app-bar-settings.php#L89"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Bhumividh Treloges"}], "timeline": [{"time": "2026-03-06T18:49:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T17:35:03.368107Z", "id": "CVE-2026-1074", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:28:23.057Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1074", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T17:35:03.368107Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:35:10.901Z"}}], "cna": {"title": "WP App Bar <= 1.5 - Unauthenticated Stored Cross-Site Scripting via 'app-bar-features' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Bhumividh Treloges"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "ryscript", "product": "WP App Bar", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-06T18:49:21.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b448712-b989-453f-9acb-5556e01e41a4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-app-bar/trunk/includes/class-app-bar-settings.php#L89"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-app-bar/tags/1.5/includes/class-app-bar-settings.php#L89"}], "descriptions": [{"lang": "en", "value": "The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'app-bar-features' parameter in all versions up to, and including, 1.5. This is due to insufficient input sanitization and output escaping combined with a missing authorization check in the `App_Bar_Settings` class constructor. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into multiple plugin settings that will execute whenever a user accesses the admin settings page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:14.041Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1074", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:11:14.041Z", "dateReserved": "2026-01-16T20:22:03.551Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-07T07:22:06.543Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'app-bar-features' parameter in all versions up to, and including, 1.5. This is due to insufficient input sanitization and output escaping combined with a missing authorization check in the `App_Bar_Settings` class constructor. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into multiple plugin settings that will execute whenever a user accesses the admin settings page."}, {"lang": "es", "value": "El plugin WP App Bar para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del par\u00e1metro 'app-bar-features' en todas las versiones hasta la 1.5, inclusive. Esto se debe a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes, combinados con una falta de verificaci\u00f3n de autorizaci\u00f3n en el constructor de la clase 'App_Bar_Settings'. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en m\u00faltiples configuraciones del plugin que se ejecutar\u00e1n cada vez que un usuario acceda a la p\u00e1gina de configuraci\u00f3n de administraci\u00f3n."}], "id": "CVE-2026-1074", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-07T08:16:09.020", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-app-bar/tags/1.5/includes/class-app-bar-settings.php#L89"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-app-bar/trunk/includes/class-app-bar-settings.php#L89"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b448712-b989-453f-9acb-5556e01e41a4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP App Bar", "source": "cna", "vendor": "ryscript"}, "product": "wp_app_bar", "vendor": "ryscript"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T19:49:40.985499+00:00", "value": {"mitigation_remediation": ["Upgrade WP App Bar to the latest release (v1.6 or newer) which removes the vulnerability.", "If an upgrade is not possible, disable the plugin and delete its settings from the database to prevent stored script execution.", "Restrict access to the WordPress admin dashboard to users with the minimum required role and consider implementing input validation for the app\u2011bar\u2011features parameter."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting that can execute arbitrary scripts when an administrator accesses the plugin\u2019s settings page"}, "threat_synthesis": {"affected_systems": "Any WordPress installation that has the WP App Bar plugin up to and including version 1.5 is affected. The flaw resides entirely in the plugin code; the WordPress core version does not influence the vulnerability. Site owners should verify the installed version and determine if the plugin is present.", "description_and_impact": "The WP App Bar plugin contains a stored cross\u2011site scripting vulnerability caused by insufficient sanitization of the app\u2011bar\u2011features parameter and a missing authorization check in the settings constructor. Because the input is not validated and output is not escaped, an attacker can store malicious JavaScript in the plugin\u2019s settings. When an administrator later accesses the settings page, the stored script is injected into the page and executed in the context of the administrator\u2019s browser session.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high severity flaw. The EPSS score being below 1\u202f% indicates a low probability of exploitation in the wild. The flaw is not listed in CISA\u2019s KEV catalog. Based on the description, it is inferred that an attacker can inject and store JavaScript through the app\u2011bar\u2011features field, which is then executed whenever an administrator visits the plugin\u2019s settings page. This execution occurs in the administrator\u2019s browser context and could expose that session to further malicious actions. The risk is therefore limited to administrative accounts, but successful exploitation could allow the attacker to carry out any activity that the administrator can perform."}}}}, "created": "2026-03-09T10:05:36.536373+00:00", "updated": "2026-04-15T20:00:06.603553+00:00", "vendors": ["ryscript", "ryscript$PRODUCT$wp_app_bar", "wordpress", "wordpress$PRODUCT$wordpress"]}