Description
The Responsive Header plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple plugin settings parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-01-24
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via plugin settings
Action: Update Plugin
AI Analysis

Impact

The Responsive Header plugin for WordPress is vulnerable to stored cross‑site scripting because several settings parameters are written without proper sanitization or escaping. An attacker who can log into the WordPress admin area with administrator privileges can modify these settings to embed malicious JavaScript, which will run whenever another user views a page that includes the affected settings. This flaw allows attackers to deface content, steal session cookies, or redirect users to phishing sites.

Affected Systems

The vulnerability exists in all versions of the Responsive Header plugin released by the vendor mehtevas, up to and including version 1.0. The issue is confined to multisite WordPress installations where the unfiltered_html capability has been disabled, meaning that only network‑wide or site‑wide administrators who can edit plugin settings are at risk.

Risk and Exploitability

With a CVSS score of 4.4 the flaw is considered moderate. Its EPSS score of less than 1 % indicates a low likelihood of exploitation in the wild, and it is not listed in CISA’s KEV catalog. However, because it requires administrator access, any compromised admin account could leverage the flaw immediately, making it prudent to address the issue as soon as reasonably possible.

Generated by OpenCVE AI on April 15, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest version of the Responsive Header plugin that removes the insecure input handling.
  • If no newer release is available, disable or uninstall the plugin entirely from all sites in the network.
  • Restrict administrator accounts to a minimal set of trusted users and audit admin activity regularly.

Generated by OpenCVE AI on April 15, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 24 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
Description The Responsive Header plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple plugin settings parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Responsive Header Plugin <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Parameters
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:51.715Z

Reserved: 2026-01-21T18:44:21.554Z

Link: CVE-2026-1300

cve-icon Vulnrichment

Updated: 2026-01-26T17:43:57.587Z

cve-icon NVD

Status : Deferred

Published: 2026-01-24T09:15:54.353

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1300

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:45:14Z

Weaknesses