CVE-2026-1901 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the QuestionPro Surveys plugin for WordPress. The vulnerability exists due to insufficient sanitization and escaping of user-supplied input in the 'questionpro' shortcode, which is used to embed surveys within WordPress pages. Specifically, authenticated users with Contributor-level privileges or higher can inject arbitrary JavaScript code into pages by manipulating shortcode attributes. Because the injected scripts are stored persistently, they execute whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or unauthorized actions performed in the context of the victim's browser session. The vulnerability affects all versions up to and including 1.0 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, and requiring privileges (Contributor or above). No user interaction is needed for exploitation, and the scope is changed since the vulnerability can affect other users viewing the injected content. No public exploits have been reported yet, but the risk remains significant for sites that have not applied patches or mitigations. This vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those that allow user-generated content or input to be rendered on pages.

For European organizations, this vulnerability poses a moderate risk primarily to websites using WordPress with the QuestionPro Surveys plugin installed. Exploitation can lead to unauthorized script execution in the browsers of site visitors or administrators, potentially resulting in session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of legitimate users. This can damage organizational reputation, lead to data breaches, and disrupt business operations. Since the vulnerability requires authenticated access at Contributor level or above, insider threats or compromised accounts increase risk. Organizations in sectors with high reliance on web presence, such as e-commerce, education, and public services, may face higher impact. Additionally, GDPR considerations mean that any data breach resulting from exploitation could lead to regulatory penalties. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits post-disclosure. The vulnerability’s scope change means that the impact extends beyond the initial attacker to all users accessing the infected pages, increasing potential damage.

1. Immediately update the QuestionPro Surveys plugin to a patched version once available. If no patch is currently released, consider temporarily disabling the plugin to prevent exploitation. 2. Restrict Contributor-level and higher permissions strictly to trusted users to reduce the risk of malicious input injection. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injections in shortcode attributes. 4. Conduct regular audits of user-generated content and shortcode usage to identify and remove any injected malicious scripts. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected web pages. 6. Educate site administrators and contributors about the risks of XSS and safe content handling practices. 7. Monitor logs for unusual activity related to shortcode usage or privilege escalations. 8. Consider using security plugins that provide enhanced input sanitization and output encoding for WordPress shortcodes. These steps go beyond generic advice by focusing on access control, proactive detection, and layered defenses tailored to this plugin’s context.