CVE-2026-1247 is a stored cross-site scripting (XSS) vulnerability identified in the seosbg Survey plugin for WordPress, affecting all versions up to and including 1.1. The root cause is insufficient input sanitization and output escaping in the plugin's admin settings interface, which allows authenticated users with administrator-level permissions or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed whenever any user accesses the compromised page. The vulnerability specifically impacts WordPress multi-site installations or single-site installations where the unfiltered_html capability is disabled, limiting the contexts in which exploitation is possible. The attack vector requires network access (remote), high attack complexity, and privileges of an administrator, but no user interaction is needed once the script is injected. The vulnerability affects confidentiality and integrity by enabling script execution that could steal sensitive data or modify site content, but it does not impact availability. The CVSS v3.1 base score is 4.4, reflecting these factors. No public exploits have been reported to date, and no patches have been linked yet. The vulnerability was reserved in January 2026 and published in March 2026 by Wordfence. This issue falls under CWE-79, which covers improper neutralization of input during web page generation leading to cross-site scripting.

The primary impact of CVE-2026-1247 is the potential for attackers with administrator privileges to inject malicious scripts that execute in the context of site visitors or administrators. This can lead to theft of sensitive information such as authentication tokens, cookies, or personal data, and may allow attackers to perform actions on behalf of users, compromising site integrity. Since exploitation requires administrator-level access, the risk is somewhat mitigated by the need for high privileges, but insider threats or compromised admin accounts could leverage this vulnerability. The scope is limited to multi-site WordPress installations or those with unfiltered_html disabled, reducing the overall affected population. However, organizations relying on the seosbg Survey plugin in these configurations could face reputational damage, data breaches, and potential compliance issues if exploited. The vulnerability does not affect availability, so denial-of-service is unlikely. Given no known exploits in the wild, immediate widespread impact is low but could increase if exploit code is developed.

To mitigate CVE-2026-1247, organizations should first verify if they are running the seosbg Survey plugin version 1.1 or earlier in a multi-site WordPress environment or with unfiltered_html disabled. Since no official patch links are currently available, administrators should consider the following specific actions: 1) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms to reduce risk of privilege abuse. 2) Temporarily disable or uninstall the vulnerable plugin until a fixed version is released. 3) Implement web application firewall (WAF) rules to detect and block suspicious script injection patterns in admin settings inputs. 4) Conduct thorough audits of admin-configured content to identify and remove any injected scripts. 5) Monitor logs for unusual administrator activity or unexpected page content changes. 6) Once a patch is released, promptly apply updates and verify sanitization improvements. 7) Educate administrators on the risks of XSS and safe input handling practices. These targeted mitigations go beyond generic advice by focusing on access control, plugin management, and proactive detection tailored to this vulnerability's characteristics.