CVE-2026-1914 identifies a Stored Cross-Site Scripting vulnerability in the FuseDesk plugin for WordPress, specifically within the fusedesk_newcase shortcode's handling of the 'emailtext' attribute. The root cause is insufficient sanitization and escaping of user-supplied input, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed in the context of any user who views the injected page, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim's privileges. The vulnerability affects all versions of FuseDesk up to and including 6.8. The CVSS 3.1 base score of 6.4 reflects a medium severity, with an attack vector over the network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. Although no public exploits have been reported, the vulnerability's presence in a widely used WordPress plugin makes it a significant risk. The lack of available patches at the time of disclosure necessitates immediate mitigation efforts. The vulnerability is cataloged under CWE-79, indicating improper neutralization of input during web page generation, a common vector for XSS attacks.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity within affected WordPress sites using the FuseDesk plugin. Attackers with Contributor-level access can inject scripts that execute in other users' browsers, enabling theft of session cookies, user impersonation, unauthorized actions, or distribution of malware. This can lead to account takeover, data leakage, and erosion of trust in the affected organization's web presence. While availability is not directly impacted, successful exploitation can facilitate further attacks that may degrade service. Organizations relying on FuseDesk for customer support or case management risk exposure of sensitive communications and user data. The medium CVSS score reflects that exploitation requires authenticated access, limiting the attack surface to insiders or compromised accounts, but the scope change indicates that the vulnerability can affect users beyond the attacker. The absence of known exploits in the wild reduces immediate risk but does not preclude future exploitation, especially as attackers often target popular WordPress plugins.

To mitigate CVE-2026-1914, organizations should first monitor for and apply any official patches or updates released by the FuseDesk plugin vendor as soon as they become available. In the absence of patches, administrators should restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script payloads in the 'emailtext' attribute can provide temporary protection. Additionally, site owners should audit existing content generated via the fusedesk_newcase shortcode for injected scripts and remove any suspicious entries. Enforcing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly reviewing user roles and permissions, combined with security awareness training for contributors, can reduce the likelihood of exploitation. Finally, monitoring logs for unusual activity related to FuseDesk shortcode usage can aid in early detection of attempted exploitation.