CVE-2026-1261 is a stored Cross-Site Scripting (XSS) vulnerability identified in the MetForm Pro plugin for WordPress, specifically affecting the Quiz feature in all versions up to 3.9.6. The root cause is insufficient sanitization of user input and lack of proper output escaping when rendering quiz content on web pages. This allows unauthenticated attackers to inject arbitrary JavaScript code that is stored persistently and executed in the context of any user visiting the affected page. The vulnerability does not require any privileges or user interaction, making it highly accessible for exploitation. The impact includes potential theft of cookies or session tokens, defacement of website content, phishing attacks, and unauthorized actions performed on behalf of users. The vulnerability has been assigned a CVSS v3.1 score of 7.2, reflecting its network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change due to affecting other users. While no public exploits have been reported yet, the widespread use of WordPress and MetForm Pro increases the risk of exploitation. The vulnerability was reserved on January 20, 2026, and published on March 10, 2026, by Wordfence. No official patches are currently linked, indicating users must monitor vendor updates closely. The CWE classification is CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

The vulnerability enables attackers to execute arbitrary JavaScript in the browsers of users visiting compromised pages, risking the confidentiality and integrity of user data. This can lead to session hijacking, credential theft, unauthorized actions, and phishing attacks. The persistent nature of stored XSS means the malicious payload remains active until removed, potentially affecting all visitors. For organizations, this can result in reputational damage, loss of customer trust, and regulatory penalties if user data is compromised. Since the attack requires no authentication or user interaction, it can be exploited at scale by automated tools. The scope of impact extends to all websites using the vulnerable MetForm Pro plugin, which is popular among WordPress users globally. The availability of the website is not directly affected, but indirect impacts such as blacklisting by search engines or browsers may occur. The vulnerability's exploitation could also serve as a foothold for further attacks within the victim's network.

1. Immediately monitor for updates from the Wpmet vendor and apply patches as soon as they are released. 2. Until patches are available, disable or restrict access to the Quiz feature in MetForm Pro to prevent exploitation. 3. Implement a Web Application Firewall (WAF) with rules to detect and block malicious input patterns targeting the Quiz feature. 4. Conduct a thorough audit of all user-generated content in the Quiz feature and sanitize or remove suspicious entries. 5. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. 6. Educate site administrators on the risks of XSS and encourage regular security reviews of plugins and themes. 7. Use security plugins that provide real-time monitoring and alerting for suspicious activities related to XSS. 8. Regularly backup website data to enable quick restoration if compromise occurs. 9. Limit user permissions to reduce the risk of unauthorized content injection. 10. Consider isolating critical user sessions with additional authentication or multi-factor authentication to mitigate session hijacking risks.