CVE-2026-1074
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2Description
The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'app-bar-features' parameter in all versions up to, and including, 1.5. This is due to insufficient input sanitization and output escaping combined with a missing authorization check in the `App_Bar_Settings` class constructor. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into multiple plugin settings that will execute whenever a user accesses the admin settings page.
Analysis
Unauthenticated attackers can inject malicious scripts into WordPress sites running the WP App Bar plugin (versions up to 1.5) through the 'app-bar-features' parameter due to missing input validation and authorization checks. When site administrators access the plugin's settings page, the stored payload executes in their browser, enabling credential theft or unauthorized actions. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all WordPress installations to identify WP App Bar plugin usage and versions; immediately disable the plugin if not business-critical. Within 7 days: Contact the plugin vendor for patch availability and timeline; implement Web Application Firewall rules to block malicious 'app-bar-features' parameter inputs. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today