Atomic Edge analysis of CVE-2026-1164 (metadata-based):
The Easy Voice Mail WordPress plugin version 1.2.5 and earlier contains an unauthenticated stored cross-site scripting vulnerability. The ‘message’ parameter lacks proper sanitization and output escaping, allowing attackers with administrator access to inject arbitrary JavaScript. The CVSS 6.1 score reflects a network-based attack with low complexity and no required privileges, leading to limited confidentiality and integrity impacts in a changed scope context.

Atomic Edge research indicates the root cause is improper neutralization of input during web page generation (CWE-79). The vulnerability description confirms insufficient input sanitization and output escaping on the ‘message’ parameter. Without source code, we infer the plugin likely processes user-supplied ‘message’ data through an AJAX handler or form submission endpoint, then stores and displays it without applying WordPress `sanitize_text_field()`, `wp_kses()`, or `esc_html()` functions. This inference aligns with common WordPress plugin patterns where user input enters the database via `$wpdb->insert()` or `update_option()` calls, then renders without escaping in admin or frontend pages.

Exploitation requires an attacker to send a crafted HTTP request containing malicious JavaScript in the ‘message’ parameter. The attack vector is likely a POST request to `/wp-admin/admin-ajax.php` with an action parameter referencing the plugin’s AJAX hook, such as `action=easy_voice_mail_save_message`. Alternatively, the plugin may use a direct admin POST handler at `/wp-admin/admin-post.php`. The payload would be a standard XSS vector like `alert(document.domain)` or ``. Since the vulnerability affects all versions up to 1.2.5, no authentication is required, though the description mentions administrator-level access for injection, suggesting the vulnerable endpoint may lack capability checks.

Remediation requires implementing proper input validation and output escaping. The patched version 1.2.6 likely adds calls to WordPress sanitization functions before storing the ‘message’ parameter, such as `sanitize_textarea_field()` or `wp_kses_post()`. Output rendering should use `esc_html()` or `wp_kses()` depending on allowed HTML. The fix may also include adding proper capability checks using `current_user_can()` and nonce verification with `wp_verify_nonce()` to prevent CSRF attacks. These measures follow WordPress coding standards for handling user input.

Successful exploitation allows arbitrary JavaScript execution in the context of any user viewing the injected page. Attackers can steal session cookies, perform actions as the victim user, deface pages, or redirect to malicious sites. Since the vulnerability is stored XSS, the payload persists and executes for all users accessing the compromised page. The impact scope includes administrative users, potentially leading to full site compromise if an administrator’s session is hijacked. Data exposure risks include sensitive information from the WordPress dashboard and user sessions.