Description
The Carta Online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.13.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-03-07
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Carta Online plugin for WordPress contains a stored Cross‑Site Scripting flaw that enables an attacker with administrator or higher privileges to inject malicious JavaScript via the plugin's settings page. The injection is stored and rendered on subsequent page loads, allowing the attacker to execute arbitrary client‑side code in the context of all users who view the affected page. Because the code runs with the victim’s privileges, this can be used to steal session cookies, deface sites, or redirect users to phishing sites.

Affected Systems

Affected systems are WordPress installations using the Carta Online plugin versions 2.13.0 or earlier. The vulnerability is triggered only when the site operates as part of a multi‑site network or when the WordPress option unfiltered_html is disabled. Any site that has migrated to a newer version or has migrated from a sub‑site to a single site without unfiltered_html disabled is not affected.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate risk, and the EPSS score of less than 1% suggests a low exploitation probability under current conditions. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, implying no known public exploit at time of analysis. Attackers must first authenticate with administrator-level roles to reach the vulnerable settings page, so the attack vector is an authenticated web interface. Once injected, the script executes for any user who accesses the affected page, creating a persistent user‑side threat until the plugin is updated or the page content is removed.

Generated by OpenCVE AI on April 15, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Carta Online plugin to a version newer than 2.13.0 as soon as possible.
  • If an immediate update is not possible, disable or uninstall the Carta Online plugin to eliminate the vulnerable entry points.
  • Restrict administrator access by limiting the number of users with high‑privilege roles or applying role‑based access controls to prevent unauthorized use of the plugin’s settings page.

Generated by OpenCVE AI on April 15, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Cartaonline
Cartaonline carta Online
Wordpress
Wordpress wordpress
Vendors & Products Cartaonline
Cartaonline carta Online
Wordpress
Wordpress wordpress

Sat, 07 Mar 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Carta Online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.13.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Carta Online <= 2.13.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Cartaonline Carta Online
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:40:48.893Z

Reserved: 2026-01-16T20:12:27.358Z

Link: CVE-2026-1071

cve-icon Vulnrichment

Updated: 2026-03-09T17:32:06.089Z

cve-icon NVD

Status : Deferred

Published: 2026-03-07T08:16:08.640

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-1071

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:00:06Z

Weaknesses