CVE-2026-1574 identifies a stored cross-site scripting vulnerability in the MyQtip – easy qTip2 plugin for WordPress, present in all versions up to and including 2.0.5. The vulnerability stems from insufficient sanitization and escaping of user input passed through the plugin's myqtip shortcode attributes. This improper neutralization of input (CWE-79) allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability requires authentication but no additional user interaction beyond viewing the infected page. The CVSS 3.1 base score is 6.4, indicating medium severity, with an attack vector over the network, low attack complexity, privileges required, no user interaction, and a scope change due to affecting other users. No patches or exploit code are currently publicly available, but the risk remains significant due to the widespread use of WordPress and the plugin. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in plugins that accept user-generated content. Organizations using this plugin should monitor for updates or consider disabling the plugin until a fix is available.

The impact of this vulnerability is primarily on the confidentiality and integrity of WordPress sites using the MyQtip – easy qTip2 plugin. Successful exploitation allows authenticated contributors or higher to inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions such as content modification or privilege escalation. While availability is not directly affected, the compromise of user sessions or administrative accounts can lead to broader site disruptions or defacements. Given WordPress's extensive use globally, especially among small to medium businesses, blogs, and content-driven sites, this vulnerability could facilitate targeted attacks against organizations relying on this plugin. The requirement for contributor-level access limits exploitation to insiders or compromised accounts, but the ease of injection and lack of user interaction needed increase risk. The vulnerability could be leveraged in multi-user environments to pivot attacks or spread malware. Without known public exploits, the immediate threat is moderate, but the potential for damage warrants prompt attention.

To mitigate this vulnerability, organizations should first check for any official patches or updates from the plugin vendor and apply them immediately once available. In the absence of a patch, administrators should consider disabling or uninstalling the MyQtip – easy qTip2 plugin to eliminate the attack surface. Restrict contributor-level access strictly to trusted users and audit existing contributor accounts for suspicious activity. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the myqtip shortcode parameters. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly review and sanitize all user-generated content inputs, and consider using security plugins that enforce input validation and output encoding. Monitor logs for unusual activity related to shortcode usage or script injections. Educate content contributors about the risks of injecting untrusted content and enforce least privilege principles. Finally, maintain regular backups and incident response plans to recover quickly if exploitation occurs.