CVE-2026-1244 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Forms Bridge – Infinite integrations plugin for WordPress, specifically in the handling of the 'id' attribute within the 'financoop_campaign' shortcode. The vulnerability stems from insufficient input sanitization and output escaping in the forms_bridge_financoop_shortcode_error function, which processes user-supplied data. Authenticated users with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into the 'id' parameter. Because the injection is stored, the malicious script executes every time a user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The vulnerability does not require user interaction but does require authentication with at least Contributor privileges, limiting exploitation to insiders or compromised accounts. The CVSS 3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and partial impact on confidentiality and integrity but no impact on availability. No patches or official fixes are currently published, and no known exploits have been observed in the wild. The vulnerability affects all versions of the plugin up to 4.2.5, indicating a broad impact surface for sites using this plugin. The CWE-79 classification confirms this is a classic XSS issue due to improper neutralization of input during web page generation.

For European organizations, this vulnerability poses a moderate risk primarily to WordPress-based websites using the Forms Bridge – Infinite integrations plugin. Successful exploitation can lead to session hijacking, unauthorized actions performed in the context of authenticated users, defacement, or phishing attacks via injected scripts. This can damage organizational reputation, lead to data leakage, and potentially facilitate further attacks such as privilege escalation or malware deployment. Since exploitation requires Contributor-level access, the threat is significant in environments with multiple content editors or where account compromise is possible. The vulnerability could impact customer-facing websites, intranets, or portals, affecting confidentiality and integrity of user data. Given the widespread use of WordPress in Europe and the popularity of plugins for form integration, organizations in sectors such as e-commerce, media, education, and government are particularly at risk. The lack of known exploits in the wild reduces immediate urgency but does not eliminate the risk of targeted attacks or insider threats.

1. Immediately audit user roles and permissions to ensure that only trusted users have Contributor-level or higher access, minimizing the risk of malicious shortcode injection. 2. Monitor and review all content submissions that utilize the 'financoop_campaign' shortcode, especially the 'id' attribute, for suspicious or unexpected input. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious script patterns in shortcode parameters. 4. Encourage or enforce the use of Content Security Policy (CSP) headers to limit the impact of injected scripts by restricting script sources. 5. Regularly update WordPress core and plugins; apply any patches released by the vendor for this vulnerability as soon as they become available. 6. Consider temporarily disabling or replacing the Forms Bridge – Infinite integrations plugin if patching is delayed and the risk is unacceptable. 7. Educate content contributors about secure content practices and the risks of injecting untrusted input. 8. Conduct regular security scans focusing on stored XSS vulnerabilities and shortcode misuse.