CVE-2026-1401 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Tune Library plugin for WordPress, affecting all versions up to and including 1.6.3. The vulnerability arises due to improper neutralization of input during web page generation (CWE-79). Specifically, the plugin’s CSV import functionality does not perform adequate authorization checks nor sanitize user-supplied data before rendering it via the [tune-library] shortcode. Authenticated users with Subscriber-level privileges or higher can exploit this by importing a crafted CSV file containing malicious JavaScript payloads. Because the plugin fails to escape or sanitize this data on output, the injected scripts are stored and executed in the context of any user who views the affected page. This can lead to session hijacking, unauthorized actions, or data theft. The vulnerability has a CVSS v3.1 score of 6.4, indicating medium severity with network attack vector, low complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with no effect on availability. No public exploits are currently known, but the vulnerability’s presence in a popular CMS plugin and the low complexity of exploitation make it a significant risk. The lack of patch links suggests a fix may not yet be available, emphasizing the need for interim mitigations. The vulnerability was published on February 6, 2026, and was assigned by Wordfence.

For European organizations, this vulnerability poses a moderate risk primarily to confidentiality and integrity of web applications running WordPress with the Tune Library plugin installed. Attackers with low-level authenticated access can inject persistent malicious scripts, potentially compromising user sessions, stealing sensitive data, or performing unauthorized actions under the victim’s identity. This can lead to reputational damage, regulatory non-compliance (e.g., GDPR breaches if personal data is exposed), and operational disruptions. Since WordPress powers a significant portion of websites in Europe, including government, education, and private sectors, the attack surface is substantial. The vulnerability’s exploitation could facilitate lateral movement or privilege escalation within compromised environments. Although availability is not directly impacted, the indirect consequences of data breaches or defacements can be severe. The medium CVSS score reflects the balance between ease of exploitation and the requirement for authenticated access, but the broad deployment of WordPress increases the potential impact.

1. Immediately restrict CSV import functionality to trusted, higher-privileged users only, ideally administrators. 2. Implement strict input validation and sanitization on all imported CSV data before processing or rendering. 3. Apply output escaping on all user-supplied content rendered via the [tune-library] shortcode to prevent script execution. 4. Monitor web server and application logs for unusual CSV import activity or unexpected script injections. 5. Disable or uninstall the Tune Library plugin if it is not essential until a security patch is released. 6. Educate users with import privileges about the risks of importing untrusted CSV files. 7. Employ Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting this plugin. 8. Keep WordPress core and all plugins updated to the latest versions to reduce exposure to known vulnerabilities. 9. Conduct regular security audits and penetration testing focusing on plugin vulnerabilities and user privilege management. 10. Prepare incident response plans to quickly address any detected exploitation attempts.