CVE-2026-1912 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Citations tools plugin for WordPress, developed by ulaulaman. The vulnerability exists due to improper neutralization of input during web page generation, specifically in the handling of the 'code' parameter within the 'ctdoi' shortcode. This parameter is insufficiently sanitized and escaped before being output, allowing an authenticated attacker with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other attacks that compromise user confidentiality and integrity of the site content. The vulnerability affects all versions up to and including 0.3.2 of the plugin. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and a scope change due to affecting other users. No known public exploits have been reported yet, but the vulnerability poses a significant risk in environments where multiple users have editing permissions. The root cause is the lack of proper input validation and output encoding on user-supplied shortcode attributes, a common issue in web application security classified under CWE-79. Mitigation requires updating the plugin to a fixed version once available or applying manual input sanitization and output escaping in the shortcode handler.

The primary impact of CVE-2026-1912 is the compromise of confidentiality and integrity within WordPress sites using the vulnerable Citations tools plugin. Attackers with Contributor-level access can inject persistent malicious scripts that execute in the browsers of other users, potentially stealing session cookies, performing actions on behalf of victims, or defacing content. This can lead to unauthorized access escalation, data leakage, and erosion of user trust. Although availability is not directly affected, the reputational damage and potential for further exploitation can disrupt normal operations. Organizations relying on this plugin, especially those with multiple content contributors or editors, face increased risk of internal threat vectors and targeted attacks. The vulnerability's exploitation requires authentication, limiting exposure to insiders or compromised accounts, but the ease of exploitation and scope of affected systems make it a notable threat in collaborative WordPress environments.

To mitigate CVE-2026-1912, organizations should immediately audit their WordPress installations for the presence of the vulnerable Citations tools plugin and restrict Contributor-level access to trusted users only. Since no patch links are currently available, administrators should consider temporarily disabling the plugin or removing the 'ctdoi' shortcode usage until a fixed version is released. Implementing Web Application Firewall (WAF) rules to detect and block suspicious input patterns in the 'code' parameter can reduce exploitation risk. Developers maintaining the plugin should apply strict input validation and output encoding on all user-supplied shortcode attributes, leveraging WordPress's built-in sanitization functions such as sanitize_text_field() and esc_html(). Regularly monitoring logs for unusual shortcode usage and educating contributors about the risks of injecting untrusted content can further reduce attack surface. Once a patch is released, prompt updating is essential. Additionally, enforcing multi-factor authentication (MFA) for all authenticated users can help mitigate the risk of compromised accounts being used to exploit this vulnerability.