{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1189", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-19T13:40:21.853Z", "datePublished": "2026-01-24T09:08:06.833Z", "dateUpdated": "2026-04-08T16:46:57.411Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:57.411Z"}, "affected": [{"vendor": "leadbi", "product": "LeadBI Plugin for WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LeadBI Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_id' parameter of the 'leadbi_form' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "LeadBI Plugin for WordPress <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_id' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3a196eaa-64c7-447b-9384-b58fcba57ec0?source=cve"}, {"url": "https://wordpress.org/plugins/leadbi/"}, {"url": "https://plugins.trac.wordpress.org/browser/leadbi/trunk/includes/Plugin.php#L72"}, {"url": "https://plugins.trac.wordpress.org/browser/leadbi/tags/1.7/includes/Plugin.php#L72"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "timeline": [{"time": "2026-01-23T20:32:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T17:41:41.208651Z", "id": "CVE-2026-1189", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T17:41:49.672Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1189", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T17:41:41.208651Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T17:41:44.036Z"}}], "cna": {"title": "LeadBI Plugin for WordPress <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_id' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "leadbi", "product": "LeadBI Plugin for WordPress", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-23T20:32:57.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3a196eaa-64c7-447b-9384-b58fcba57ec0?source=cve"}, {"url": "https://wordpress.org/plugins/leadbi/"}, {"url": "https://plugins.trac.wordpress.org/browser/leadbi/trunk/includes/Plugin.php#L72"}, {"url": "https://plugins.trac.wordpress.org/browser/leadbi/tags/1.7/includes/Plugin.php#L72"}], "descriptions": [{"lang": "en", "value": "The LeadBI Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_id' parameter of the 'leadbi_form' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-24T09:08:06.833Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1189", "state": "PUBLISHED", "dateUpdated": "2026-01-26T17:41:49.672Z", "dateReserved": "2026-01-19T13:40:21.853Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-24T09:08:06.833Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LeadBI Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_id' parameter of the 'leadbi_form' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin LeadBI para WordPress plugin de WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'form_id' del shortcode 'leadbi_form' en todas las versiones hasta la 1.7, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1189", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-24T09:15:53.680", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/leadbi/tags/1.7/includes/Plugin.php#L72"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/leadbi/trunk/includes/Plugin.php#L72"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/leadbi/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3a196eaa-64c7-447b-9384-b58fcba57ec0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:24:15.858680+00:00", "value": {"mitigation_remediation": ["Upgrade the LeadBI plugin to a version newer than 1.7 where the form_id sanitization and escaping has been corrected.", "If an immediate upgrade is not possible, disable the plugin or remove all instances of the 'leadbi_form' shortcode from existing content to prevent rendering of the stored script.", "Scan existing posts, pages, and custom content for the leadbi_form shortcode and clean any malicious 'form_id' attribute values."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All WordPress sites that have the LeadBI plugin installed from the leadbi vendor and running any version up to and including 1.7 are affected. Any installation where the plugin is active and users have Contributor or higher roles can be used to inject the malicious form_id value.", "description_and_impact": "The LeadBI plugin for WordPress contains a flaw in which the 'form_id' attribute of the 'leadbi_form' shortcode is not sanitized or escaped before being stored. This allows an authenticated user with Contributor or higher privileges to insert arbitrary JavaScript that will be served to any visitor who views a page containing the malicious shortcode. The vulnerability results in a stored cross\u2011site scripting condition that can compromise the integrity of rendered pages for all users on the site.", "risk_and_exploitability": "The CVSS score of 6.4 classifies this flaw as medium severity, while the EPSS score of less than 1% indicates a low probability of exploitation in the near term. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an authenticated Contributor\u2011level or higher account on the WordPress site and the ability to add or edit content containing the 'leadbi_form' shortcode; the injected script then executes for every visitor encountering the content."}}}}, "created": "2026-01-26T11:48:30.312396+00:00", "updated": "2026-04-16T01:30:20.312783+00:00", "vendors": ["leadbi", "leadbi$PRODUCT$leadbi_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}