– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-1304:
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Restrict Content WordPress plugin affecting versions up to and including 3.2.18. The vulnerability exists in the plugin’s invoice settings interface, allowing administrators to inject arbitrary JavaScript that executes when other users view affected pages. With a CVSS score of 4.4, this medium-severity issue requires administrator-level access but enables persistent script execution across user sessions.

Root Cause:
The vulnerability stems from insufficient output escaping in the invoice settings section of the plugin’s admin interface. Specifically, the file restrict-content/core/includes/admin/settings/settings.php contains multiple fields that accept user input without proper sanitization before rendering. The diff shows that before patching, the plugin used direct output of user-controlled values in the invoice settings form fields without escaping. For example, the invoice company name, address, and other text fields accepted raw HTML and JavaScript that would be rendered directly in the admin interface.

Exploitation:
An attacker with administrator privileges can exploit this vulnerability by navigating to the plugin’s settings page at /wp-admin/admin.php?page=rcp-settings#invoices and injecting malicious JavaScript payloads into invoice-related fields. The attacker would submit crafted HTML/JavaScript through the invoice settings form, which the plugin stores without sanitization. When any user (including lower-privileged users) accesses the settings page or any page that displays invoice information, the malicious script executes in their browser context, potentially allowing session hijacking, administrative actions, or data exfiltration.

Patch Analysis:
The patch addresses the vulnerability by implementing proper output escaping throughout the settings interface. The diff shows extensive changes where previously unescaped output functions like _e() and echo statements were replaced with esc_html_e() and esc_html() calls. For instance, line 309 changed from _e(‘Before – $10’, ‘rcp’) to esc_html_e(‘Before – $10’, ‘rcp’), and line 310 changed from _e(‘After – 10$’, ‘rcp’) to esc_html_e(‘After – 10$’, ‘rcp’). The patch also adds WordPress coding standard comments (phpcs:ignore) and improves overall security hardening by escaping all user-facing output in the settings interface.

Impact:
Successful exploitation allows authenticated administrators to inject persistent malicious scripts that execute whenever users access the plugin’s settings pages. This enables privilege escalation attacks where an attacker with compromised administrator credentials can maintain persistent access, steal session cookies, perform administrative actions on behalf of other users, or deface the WordPress admin interface. The stored nature of the XSS means the payload remains active until manually removed, creating a persistent threat to all users who access the vulnerable interface.