CVE-2026-0739
Stored XSS in WMF Mobile Redirector Plugin Allows Admin Script Injection
Publication date: 2026-01-14
Last updated on: 2026-01-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wmf | mobile_redirector | to 1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WMF Mobile Redirector plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the plugin settings in all versions up to and including 1.2. This vulnerability arises because the plugin does not properly sanitize input or escape output in its settings, allowing authenticated users with Administrator-level access or higher to inject arbitrary web scripts. These scripts can then execute whenever any user accesses a page containing the injected code.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Administrator-level access to inject malicious scripts into the plugin settings, which will execute in the browsers of users who visit affected pages. This can lead to unauthorized actions such as stealing user credentials, session hijacking, or performing actions on behalf of users without their consent, potentially compromising the security and integrity of the website and its users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking the WordPress installation for the presence of the WMF Mobile Redirector plugin version 1.2 or earlier and inspecting the plugin settings for any injected scripts. Since the vulnerability is a Stored Cross-Site Scripting (XSS) via plugin settings, you can look for suspicious script tags or JavaScript code in the plugin's settings stored in the WordPress database. There are no specific network commands provided to detect this vulnerability. A practical approach is to review the 'wmf_reoptions' option in the WordPress database for unexpected script content. For example, you can use the following MySQL command to check the option value: `SELECT option_value FROM wp_options WHERE option_name = 'wmf_reoptions';` and then inspect the output for any injected scripts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the WMF Mobile Redirector plugin to a version later than 1.2 where the vulnerability is fixed. If an update is not available, restrict Administrator-level access to trusted users only, as exploitation requires authenticated users with such privileges. Additionally, review and sanitize the plugin settings to remove any injected scripts. Disabling the plugin temporarily until a patch is applied can also mitigate risk. [1]