| Plugin Name | WMF Mobile Redirector |
|---|---|
| Type of Vulnerability | Cross-Site Scripting (XSS) |
| CVE Number | CVE-2026-0739 |
| Urgency | Low |
| CVE Publish Date | 2026-01-13 |
| Source URL | CVE-2026-0739 |
CVE-2026-0739 — Authenticated Stored XSS in WMF Mobile Redirector (<=1.2): Risks, Detection, and Mitigation
Date: 2026-01-14
Tags: WordPress, Vulnerability, XSS, WAF, Incident Response
Executive summary
On 13 January 2026 a stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin “WMF Mobile Redirector” (versions ≤ 1.2) was publicly disclosed (CVE-2026-0739). The issue permits an authenticated administrator to store JavaScript inside plugin settings fields that is later rendered unsafely, enabling arbitrary script execution in the context of site pages or the admin dashboard when those settings are viewed. Although the attacker must hold an administrator account to store the malicious payload, successful exploitation allows persistent client-side compromise that can be weaponized for persistent redirects, credential theft, backdooring, or other malicious activities.
This advisory, written from a Hong Kong security expert perspective, walks site owners, developers and incident responders through: what this vulnerability is, who is impacted, practical steps to detect compromise, immediate mitigations (including generic virtual patching with a WAF), long-term fixes and secure coding practices to prevent similar issues.
Note: If you run WMF Mobile Redirector on any WordPress site, treat this vulnerability as actionable. Even though an attacker needs administrator access to inject the payload, persistent XSS can be leveraged to escalate an attack chain and impact site visitors, editors and administrators.
What is stored XSS and why it matters here
Stored or persistent Cross-Site Scripting occurs when an attacker supplies input that is stored by the application (in a database, options table, or similar) and later rendered into pages without proper output encoding or sanitization. Unlike reflected XSS, stored XSS is persistent — every visitor or admin who views the affected page or interface may run the injected script.
For this vulnerability:
- The attack vector: plugin settings parameters (values stored via the plugin’s settings UI).
- The prerequisite: the attacker must be an authenticated administrator (the plugin’s settings UI requires admin capability).
- The impact: stored JavaScript or HTML may execute in contexts where the stored settings are rendered — potentially both on front-end pages and within wp-admin (depending on plugin behavior).
- The real-world impact: persistent redirections, unauthorized admin actions (CSRF combined with stored XSS), session theft, privacy breach, SEO spam, and persistent client-side backdoors are possible.
Even though the attack requires Admin privileges to plant the payload, do not assume an administrator account is always secure. Admin credentials can be leaked, shared, or obtained via other vulnerabilities. Treat stored XSS in admin-editable settings as high-concern for site integrity and reputation.
Vulnerability specifics (high level)
- Affected software: WMF Mobile Redirector plugin for WordPress
- Affected versions: ≤ 1.2
- Vulnerability class: Authenticated (Administrator+) Stored Cross-Site Scripting (XSS)
- CVE: CVE-2026-0739
- Discovery: reported by a security researcher
- Primary cause: unsafe output of settings parameters without output escaping or sanitization prior to rendering
We do not publish exploit details here. The important technical takeaway for site owners and developers: plugin settings values were not properly sanitized and escaped when saved and/or were printed without required encoding when displayed to users, enabling stored client-side script execution.
Who should be concerned?
- Operators and administrators of WordPress sites that have the WMF Mobile Redirector plugin installed (versions ≤ 1.2).
- Managed hosters and WordPress maintenance teams who manage multiple sites using this plugin.
- Development teams that maintain custom plugins/themes which interact with mobile redirection or plugin settings stored in options.
Note: Because the ability to inject requires admin privileges, sites where admin accounts are tightly controlled and protected are at lower immediate risk, but compromise of an admin account or misuse by a legitimate admin (malicious insider) still enables exploitation.
Exploitation scenarios and attacker goals
Stored XSS in plugin settings can be abused in multiple ways:
- Persistent defacement or SEO spam: malicious scripts can insert content or hidden links on public pages.
- Credential harvesting: scripts can display fake admin login prompts or exfiltrate cookies/session tokens.
- Session hijacking: capture cookies and send them to an attacker-controlled server.
- Pivot to further compromise: perform admin-in-context actions (submit forms, change settings) on behalf of someone viewing the admin interface if combined with privileged UI access (CSRF-like behavior).
- Distribution of malware: serve external scripts that redirect visitors to malicious payloads or fraudulent sites.
- Persistence for later attacks: inject backdoor scripts that survive plugin/theme updates until cleaned.
Because these scripts are stored and rendered repeatedly, they can be especially damaging to site reputation, SEO, and visitor trust.
Immediate assessment — how to check if you are affected
-
Identify plugin installation and version:
- From wp-admin: Dashboard → Plugins. Look for “WMF Mobile Redirector” and confirm version.
- From the file system: inspect the plugin header in the main plugin PHP file.
-
If affected (version ≤ 1.2), check common storage locations for suspicious HTML/JS:
- wp_options: plugin settings are commonly stored here.
- Posts/pages (less likely for settings plugin, but always check).
- Plugin-specific custom tables if present.
Use these quick checks (WP-CLI recommended):
wp option list --format=csv | grep -i 'wmf\|mobile_redirect\|wmf_mobile'
Search the database for script tags in options and posts:
# Search options for 'Grep plugin settings files (if settings are in files):
grep -R --line-number "If you find untrusted script tags or suspicious inline JavaScript in stored options or content that you did not place intentionally, treat it as compromise and follow the incident response steps below.
Indicators of compromise (IoCs)
Look for the following signs:
- Unexpected redirects from your site to unknown domains.
- Hidden or injected iframes, script tags, or on-event attributes in pages or admin screens.
- Unauthorized changes to plugin settings that you didn’t make.
- New admin users or login events from unknown IPs around the time of changes.
- Outbound HTTP requests from the browser to unknown third-party domains when viewing site pages.
- Alerts from external scanners detecting JavaScript-based SEO spam.
Check server and application logs for unusual POST requests to plugin settings pages or options saving endpoints (e.g., admin-post.php, options.php, or plugin-specific admin pages). Also examine the timing of admin actions in the WordPress audit logs (if available).
Immediate containment & mitigation steps
If you discover suspicious stored scripts or believe you’re affected, act quickly:
-
Temporarily restrict access
- Restrict admin dashboard access to a small set of IP addresses if possible (via host firewall or server ACLs).
- Rotate administrator passwords and invalidate active sessions for all users:
- In wp-admin: Users → All Users → Edit each Admin → Change password
- Or use WP-CLI to force logout by altering authentication tokens:
wp user session destroy
- Revoke or rotate API keys and credentials used by the site.
-
Take the site to maintenance mode (if necessary)
- Prevent visitors from being served malicious scripts while you investigate.
-
Clean stored payloads
- Remove suspicious script tags from wp_options, posts, postmeta or plugin tables. Prefer manual review to avoid deleting legitimate data.
- Example SQL to view and then remove tags (test first, and backup DB first):
SELECT option_name, option_value FROM wp_options WHERE option_value LIKE '%To remove script tags safely you may use application logic; direct SQL replace is risky.
- Use WP-CLI to search-and-remove suspicious content if you have a tested workflow and backups.
-
Disable the vulnerable plugin
- If an update/fix is not available, deactivate and remove the plugin until a secure version is released.
- Command:
wp plugin deactivate wmf-mobile-redirector
-
Scan & audit
- Run a full site scan for malware and additional injected content.
- Check themes, mu-plugins, and uploads directories for unexpected files.
- Review user accounts and capabilities for unauthorized additions.
-
Restore from a known-good backup (if available)
- If you have clean backups from before the compromise and the timeline of the malicious change is clear, restoring may be the safest route. Ensure credentials and any vulnerable plugins are patched before bringing the restored site online.
Detection rules (WAF / monitoring) — examples you can apply now
While awaiting vendor patching, virtual patching with a Web Application Firewall (WAF) or equivalent request filtering can reduce risk by blocking attempts to store XSS payloads. Below are practical rule ideas security teams can deploy immediately. Deploy in monitoring/log-only mode first to avoid false positives.
-
Block inbound admin requests containing script-like payloads in plugin settings endpoints
Rule concept: If an HTTP POST to any request path that includes
wmf-mobile-redirectoror common options-saving endpoints (/wp-admin/options.php,/wp-admin/admin-post.php) containsjavascript:,onerror=,onload=, or suspicious event-handler attributes, then block or challenge the request.Example detection pattern (pseudo-regex — tune to minimise false positives):
( - Enforce input validation / stripping on admin-side saves
