CVE-2026-1401 identifies a stored cross-site scripting vulnerability in the Tune Library plugin for WordPress, affecting all versions up to 1.6.3. The root cause is the plugin's CSV import feature, which lacks proper authorization checks and fails to sanitize or escape user-supplied input before rendering it on web pages via the [tune-library] shortcode. Authenticated attackers with Subscriber-level privileges or higher can craft malicious CSV files containing embedded JavaScript payloads. When these files are imported, the malicious scripts are stored persistently in the plugin's data and executed in the browsers of any users who visit the affected pages. This vulnerability leverages CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security flaw. The CVSS 3.1 base score of 6.4 reflects that the attack can be launched remotely over the network with low complexity, requires some privileges (authenticated user), and results in partial confidentiality and integrity impact without affecting availability. The vulnerability does not require user interaction beyond page viewing, and the scope is changed as the injected script can affect multiple users. No official patches are currently linked, so mitigation relies on restricting access, monitoring imports, or disabling the vulnerable functionality until a fix is released.

This vulnerability allows attackers with minimal privileges (Subscriber-level) to inject persistent malicious scripts into WordPress sites using the Tune Library plugin. The impact includes potential theft of user session cookies, enabling account takeover, defacement of website content, or redirection to malicious sites. Because the injected scripts execute in the context of the victim's browser, they can bypass same-origin policies and access sensitive information or perform actions on behalf of users. Organizations running WordPress sites with this plugin are at risk of reputational damage, data leakage, and user trust erosion. The vulnerability's exploitation could also facilitate further attacks such as phishing or malware distribution. Since the CSV import lacks authorization checks, even low-privilege users can exploit it, increasing the attack surface. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks, especially as the vulnerability becomes publicly known.

To mitigate CVE-2026-1401, organizations should immediately restrict CSV import functionality to trusted administrators until a patch is available. Disable or remove the Tune Library plugin if it is not essential. Implement web application firewall (WAF) rules to detect and block suspicious CSV uploads or script payloads targeting the [tune-library] shortcode. Monitor logs for unusual import activity or unexpected shortcode usage. Educate users with import privileges about the risks of importing untrusted CSV files. Apply strict input validation and output encoding on all user-supplied data in custom implementations. Once a vendor patch is released, promptly update the plugin to the fixed version. Additionally, consider employing Content Security Policy (CSP) headers to limit script execution sources and reduce the impact of potential XSS attacks. Regularly audit user roles and permissions to minimize the number of users with import capabilities.