CVE-2026-1901 identifies a stored cross-site scripting (XSS) vulnerability in the QuestionPro Surveys plugin for WordPress, specifically in all versions up to and including 1.0. The vulnerability stems from insufficient sanitization and escaping of user-supplied input within the 'questionpro' shortcode attributes. This flaw allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into survey pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The attack vector is remote network-based, requiring only low complexity and no user interaction, but does require authentication with contributor or higher privileges. The vulnerability impacts confidentiality and integrity but not availability, as indicated by the CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N). No patches or known exploits are currently available, and the issue was publicly disclosed on February 14, 2026. The vulnerability is classified under CWE-79, highlighting improper neutralization of input during web page generation. The scope is limited to sites using the vulnerable plugin versions, but the impact can be significant due to the stored nature of the XSS and the potential for persistent malicious script execution.

The primary impact of CVE-2026-1901 is the compromise of confidentiality and integrity within affected WordPress sites using the QuestionPro Surveys plugin. Attackers with contributor-level access can inject persistent malicious scripts, which execute in the context of other users' browsers, potentially leading to session hijacking, theft of authentication tokens, unauthorized actions, or defacement. This can undermine trust in the affected websites and lead to further compromise if administrative accounts are targeted. Since the vulnerability requires authenticated access, the risk is somewhat mitigated by access controls; however, many WordPress sites allow contributors or similar roles for content creation, making exploitation feasible. The vulnerability does not impact availability directly but can facilitate broader attacks that may degrade service. Organizations relying on QuestionPro Surveys for data collection or customer engagement may face reputational damage and data integrity issues if exploited.

Until an official patch is released, organizations should implement the following mitigations: 1) Restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'questionpro' shortcode parameters. 3) Conduct regular audits of user-generated content for suspicious scripts or anomalies. 4) Educate content contributors about safe input practices and the risks of injecting untrusted code. 5) Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 6) Consider temporarily disabling or removing the QuestionPro Surveys plugin if feasible until a patch is available. 7) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. These targeted actions go beyond generic advice and address the specific nature of this stored XSS vulnerability.