CVE-2026-1071
Stored XSS in Carta Online WordPress Plugin Affects Multi-Site
Publication date: 2026-03-07
Last updated on: 2026-03-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lead_solutions_b.v. | carta_online | to 2.13.0 (inc) |
| lead_solutions_b.v. | carta_online | 2.15.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The vulnerability in CVE-2026-1071 is a Stored Cross-Site Scripting (XSS) issue in the Carta Online plugin for WordPress. It occurs due to insufficient input sanitization and output escaping in the plugin's admin settings, allowing authenticated users with administrator-level permissions or higher to inject arbitrary web scripts. These scripts execute whenever a user accesses the injected page. This vulnerability specifically affects multi-site WordPress installations or installations where the unfiltered_html capability is disabled."}, {'type': 'paragraph', 'content': 'The vulnerability was addressed by adding comprehensive input sanitization callbacks and output escaping functions such as esc_attr() and esc_textarea() to all plugin settings and meta box operations, preventing malicious script injection and execution.'}] [2]
How can this vulnerability impact me? :
This vulnerability allows an attacker with administrator-level access to inject malicious scripts into the plugin's admin settings pages. When other users visit these injected pages, the malicious scripts execute in their browsers.
- It can lead to theft of sensitive information such as cookies or session tokens.
- It may allow attackers to perform actions on behalf of other users (session hijacking).
- It can degrade the trustworthiness and security of the affected WordPress site.
However, the impact is somewhat limited because the attacker must already have administrator-level permissions and the vulnerability only affects multi-site installations or those with unfiltered_html disabled.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Carta Online WordPress plugin affecting admin settings in versions up to 2.13.0. Detection involves checking if the plugin version is vulnerable and if the site is a multi-site installation or has unfiltered_html disabled.
Since the vulnerability requires administrator-level permissions to inject scripts, detection can include reviewing admin settings pages for suspicious or unexpected script tags or payloads.
No specific network commands or automated detection commands are provided in the available resources.
However, general WordPress commands to check the installed plugin version include:
- Using WP-CLI to check plugin version: `wp plugin get carta-online --field=version`
- Manually inspecting the plugin files or admin settings for suspicious script injections.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Carta Online WordPress plugin to a version later than 2.13.0 where the vulnerability has been fixed by implementing comprehensive input sanitization and output escaping.
If immediate updating is not possible, restrict administrator-level access to trusted users only, since exploitation requires authenticated admin permissions.
Additionally, ensure that multi-site installations and sites with unfiltered_html disabled are carefully monitored and consider temporarily disabling the plugin if feasible.
Review and sanitize any existing admin settings that may contain injected scripts.