{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1401", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-23T21:45:27.335Z", "datePublished": "2026-02-06T06:46:31.276Z", "dateUpdated": "2026-04-08T17:24:06.677Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:06.677Z"}, "affected": [{"vendor": "jackdewey", "product": "Tune Library", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The vulnerability exists because the CSV import functionality lacks authorization checks and doesn't sanitize imported data, which is later rendered without escaping through the [tune-library] shortcode."}], "title": "Tune Library <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via CSV Import", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd600810-b1bc-4025-b441-5c90da7240de?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/tune-library.php#L219"}, {"url": "https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/tune-library.php#L235"}, {"url": "https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/writeNodes.php#L113"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3451457%40tune-library&new=3451457%40tune-library&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2026-01-23T22:00:35.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-05T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T19:25:16.754507Z", "id": "CVE-2026-1401", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T19:25:31.993Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1401", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-06T19:25:16.754507Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T19:25:21.617Z"}}], "cna": {"title": "Tune Library <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via CSV Import", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "jackdewey", "product": "Tune Library", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.6.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-23T22:00:35.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-05T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd600810-b1bc-4025-b441-5c90da7240de?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/tune-library.php#L219"}, {"url": "https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/tune-library.php#L235"}, {"url": "https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/writeNodes.php#L113"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3451457%40tune-library&new=3451457%40tune-library&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The vulnerability exists because the CSV import functionality lacks authorization checks and doesn't sanitize imported data, which is later rendered without escaping through the [tune-library] shortcode."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:06.677Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1401", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:24:06.677Z", "dateReserved": "2026-01-23T21:45:27.335Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-06T06:46:31.276Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The vulnerability exists because the CSV import functionality lacks authorization checks and doesn't sanitize imported data, which is later rendered without escaping through the [tune-library] shortcode."}, {"lang": "es", "value": "El plugin Tune Library para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de la importaci\u00f3n CSV en todas las versiones hasta la 1.6.3, inclusive. Esto se debe a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a la p\u00e1gina inyectada. La vulnerabilidad existe porque la funcionalidad de importaci\u00f3n CSV carece de comprobaciones de autorizaci\u00f3n y no sanitiza los datos importados, que luego se renderizan sin escape a trav\u00e9s del shortcode [tune-library]."}], "id": "CVE-2026-1401", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-06T07:16:11.563", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/tune-library.php#L219"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/tune-library.php#L235"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/writeNodes.php#L113"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3451457%40tune-library&new=3451457%40tune-library&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd600810-b1bc-4025-b441-5c90da7240de?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T18:46:53.662228+00:00", "value": {"mitigation_remediation": ["Upgrade the Tune Library plugin to a version newer than 1.6.3, which contains the necessary input filtering and authorization checks.", "If an upgrade is not immediately possible, disable or remove the CSV import feature for Subscriber\u2011level accounts, and allow upload only for administrators.", "Implement a content security policy that restricts script execution from user\u2011supplied content on the site to mitigate the impact of any residual unsanitized data."], "summary": {"action": "Apply Patch", "impact": "Stored XSS allowing arbitrary script injection"}, "threat_synthesis": {"affected_systems": "All versions of the Tune Library plugin up to and including 1.6.3 are impacted. The vulnerability affects installations of the WordPress plugin released by jackdewey, and any site that has not been updated beyond version 1.6.3.", "description_and_impact": "The Tune Library plugin for WordPress is vulnerable to stored cross\u2011site scripting via the CSV import feature. The import routine does not perform proper input sanitization or output escaping, and because it lacks authorization checks, a user with Subscriber or higher privileges can inject malicious scripts that are later rendered through the [tune-library] shortcode. This flaw enables an attacker to persistently embed arbitrary JavaScript that will execute when any user visits the injected page, compromising the integrity of the affected site and potentially exposing sensitive data.", "risk_and_exploitability": "The CVSS v3.1 score of 6.4 indicates moderate severity. The EPSS score is less than 1\u202f%, suggesting a low probability of widespread exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with Subscriber-level access or higher, and the attacker must use the CSV import functionality to inject payloads that are later displayed without escaping. Because the flaw is stored, once injected, the malicious code will affect all users who view the compromised content."}}}}, "created": "2026-02-09T10:52:47.452506+00:00", "updated": "2026-04-15T19:00:12.265975+00:00", "vendors": ["jackdewey", "jackdewey$PRODUCT$tune_library", "wordpress", "wordpress$PRODUCT$wordpress"]}