CVE-2026-1300
Stored XSS in Responsive Header WordPress Plugin Allows Admin Script Injection
Publication date: 2026-01-24
Last updated on: 2026-01-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mehtevas | responsive_header | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA. The vulnerability involves Stored Cross-Site Scripting (XSS) in a WordPress plugin, which could potentially lead to unauthorized script execution, but there is no direct mention of data breach, personal data exposure, or regulatory compliance implications in the provided resources.
Can you explain this vulnerability to me?
The vulnerability in the Responsive Header WordPress plugin (up to version 1.0) is a Stored Cross-Site Scripting (XSS) issue. It occurs because the plugin does not properly sanitize or escape input in multiple plugin settings parameters. This allows authenticated users with administrator-level access or higher to inject malicious web scripts into pages. These scripts execute whenever any user accesses the affected page. The vulnerability specifically affects multi-site WordPress installations or installations where the unfiltered_html capability has been disabled. [1, 5]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator-level access to inject arbitrary scripts into the website. These scripts can execute in the context of other users visiting the site, potentially leading to theft of user credentials, session hijacking, defacement, or distribution of malware. Since the vulnerability is stored, the malicious code persists and affects all users who view the injected pages. This can compromise the security and integrity of the website and its users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) in the Responsive Header WordPress plugin settings, exploitable by authenticated administrators. Detection would involve checking for suspicious or unexpected script tags or JavaScript code injected into the plugin's settings parameters or pages rendered by the plugin. Since the plugin adds a settings page in the WordPress admin dashboard titled "Responsive Header," an administrator can manually inspect the settings inputs for malicious scripts. Automated detection could involve scanning the database options table for entries related to the plugin's settings (e.g., options starting with 'insert_rh_') containing suspicious script tags. Example commands to detect suspicious entries in a WordPress database (assuming access to the database) could be: 1. Using MySQL command line: ``` SELECT option_name, option_value FROM wp_options WHERE option_name LIKE 'insert_rh_%' AND option_value LIKE '%<script>%'; ``` 2. Using WP-CLI to search options: ``` wp option list --search=insert_rh_ --format=json | jq '.[] | select(.option_value | contains("<script>"))' ``` Additionally, monitoring HTTP requests to the admin settings page for unusual POST data containing script tags could help detect exploitation attempts. However, no specific detection commands or tools are provided in the resources. [1, 5]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Restrict access to the WordPress admin dashboard to trusted administrators only, as exploitation requires administrator-level access. 2. Disable or remove the Responsive Header plugin, especially since it is no longer maintained or available for download pending a security review. 3. If the plugin must remain active temporarily, ensure that the WordPress setting 'unfiltered_html' is enabled for administrators to prevent the vulnerability from being exploitable (the vulnerability affects installations where 'unfiltered_html' is disabled). 4. Monitor and sanitize all inputs in the plugin's settings pages to prevent injection of malicious scripts. 5. Review and clean any injected scripts from the plugin's settings stored in the database. Since the plugin has been temporarily closed and is no longer available for download pending a full security review, removing or disabling it is the most effective immediate step. [3]