CVE-2026-1189 is a stored cross-site scripting (XSS) vulnerability identified in the LeadBI Plugin for WordPress, specifically affecting all versions up to and including 1.7. The vulnerability stems from insufficient sanitization and escaping of user-supplied input in the 'form_id' parameter of the 'leadbi_form' shortcode. This flaw allows authenticated attackers with at least Contributor-level privileges to inject arbitrary JavaScript code into WordPress pages. Because the malicious script is stored persistently, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability does not require user interaction beyond visiting the infected page and has a CVSS 3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based with low attack complexity and privileges required are low (Contributor-level). The scope is changed as the vulnerability affects other users beyond the attacker. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. However, the presence of this vulnerability in a widely used WordPress plugin used for lead generation and marketing forms increases the risk profile, especially for websites that allow multiple users with Contributor or higher roles.

For European organizations, this vulnerability can lead to unauthorized script execution within their WordPress environments, potentially compromising user sessions, stealing sensitive data, or performing unauthorized actions. Organizations relying on the LeadBI plugin for marketing or lead capture may face data integrity and confidentiality breaches, damaging customer trust and violating data protection regulations such as GDPR. The stored nature of the XSS means that any user visiting the infected page is at risk, increasing the attack surface. This can also facilitate further attacks such as phishing or malware distribution. The medium severity score indicates a significant but not critical risk, yet the ease of exploitation by authenticated users with relatively low privileges makes it a notable threat. The lack of known exploits in the wild suggests an opportunity for proactive mitigation before widespread abuse occurs.

European organizations should immediately audit their WordPress installations to identify the presence of the LeadBI plugin and its version. Until an official patch is released, administrators should restrict Contributor-level access and above to trusted users only, minimizing the risk of malicious input injection. Implementing Web Application Firewalls (WAF) with rules to detect and block suspicious input patterns related to the 'form_id' parameter can help mitigate exploitation. Additionally, organizations should enforce strict Content Security Policies (CSP) to limit the execution of unauthorized scripts. Regularly monitoring logs for unusual activity or script injections on pages using the 'leadbi_form' shortcode is recommended. Finally, organizations should stay alert for updates or patches from the vendor and apply them promptly once available.