Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.2
WP App Bar plugin for WordPress: Unauthenticated admin settings page injection
CVE-2026-1074
Summary
An attacker can inject malicious code into the admin settings page of the WP App Bar plugin, potentially allowing them to modify plugin settings or steal sensitive data. This vulnerability affects all versions of the plugin up to and including 1.5. To protect your site, update to the latest version of the plugin or remove it entirely if you're no longer using it.
Original title
The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'app-bar-features' parameter in all versions up to, and including, 1.5. This is due to insufficient input sa...
Original description
The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'app-bar-features' parameter in all versions up to, and including, 1.5. This is due to insufficient input sanitization and output escaping combined with a missing authorization check in the `App_Bar_Settings` class constructor. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into multiple plugin settings that will execute whenever a user accesses the admin settings page.
nvd CVSS3.1
7.2
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026