CVE-2026-1042
Stored XSS in WP Hello Bar Plugin Allows Admin Script Injection
Publication date: 2026-01-20
Last updated on: 2026-01-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | wp_hello_bar | to 1.02 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Hello Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'digit_one' and 'digit_two' parameters in all versions up to and including 1.02. This vulnerability arises due to insufficient input sanitization and output escaping, allowing authenticated attackers with administrator-level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the injected page.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator-level access to inject malicious scripts into the website. These scripts can execute in the context of users visiting the site, potentially leading to theft of sensitive information, session hijacking, or performing actions on behalf of users without their consent. Since the attacker needs high-level access, the risk is limited to compromised or malicious administrators but can still lead to significant security breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WP Hello Bar plugin version 1.02 or earlier is installed and if the 'digit_one' and 'digit_two' parameters are being used in a way that could allow stored cross-site scripting. Since the vulnerability requires authenticated administrator-level access to inject scripts, monitoring for unusual script injections or unexpected stored scripts in pages generated by the plugin is recommended. Specific commands are not provided in the resources, but general WordPress plugin version checks can be done via WP-CLI commands such as 'wp plugin list' to identify the plugin version. Additionally, inspecting HTTP requests and responses for injected scripts related to 'digit_one' and 'digit_two' parameters may help detect exploitation attempts. [3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing or disabling the WP Hello Bar plugin if it is installed, as the plugin has been permanently closed and removed from availability as of January 16, 2026. Since no patched version is available, discontinuing use of the plugin is the safest approach. Additionally, restricting administrator-level access to trusted users only and monitoring for any suspicious script injections related to the 'digit_one' and 'digit_two' parameters can help reduce risk. [4]