Attack Vectors
Citations tools (WordPress plugin slug: citations-tools) is affected by a Medium severity vulnerability (CVSS 6.4) identified as CVE-2026-1912. The issue impacts all versions up to and including 0.3.2.
The primary attack path is through the plugin’s ctdoi shortcode, specifically the code attribute. If an attacker has authenticated access at the Contributor level (or higher), they can inject malicious script content into pages or posts where that shortcode is used. Because this is stored cross-site scripting (XSS), the injected script can execute later when other users view the affected page—without requiring the viewer to click anything.
Security Weakness
This vulnerability exists due to insufficient input sanitization and output escaping of user-supplied shortcode attributes in Citations tools. In practical terms, the plugin does not reliably treat the code attribute as untrusted input when saving or rendering content.
For business stakeholders, the important takeaway is that a user with limited publishing permissions (Contributor+) can introduce content that behaves like active code in a visitor’s browser. That breaks a core assumption many organizations make: that authentication alone prevents harmful content from being introduced.
Technical or Business Impacts
Brand and customer trust risk: Malicious scripts can modify what visitors see on your site, potentially displaying fraudulent messages, unwanted pop-ups, or redirect behavior—damaging credibility and conversion rates.
Data exposure and account risk: Stored XSS can be used to interfere with user sessions and potentially capture sensitive information displayed in the browser. Even if the CVSS rating is Medium, the impact can become significant if the affected pages are high-traffic or used by administrators and content managers.
Compliance and legal risk: If the injected scripts result in unauthorized tracking, data collection, or exposure of user information, this can create regulatory concerns for privacy and security programs (particularly where customer or employee data is involved).
Operational disruption: Incident response may require taking pages offline, auditing content history, resetting credentials, and performing a broader review of publishing permissions—activities that interrupt marketing and sales operations.
Mitigation note: There is no known patch available for Citations tools as described in the published advisory. Organizations should evaluate mitigations based on risk tolerance; in many cases, the safest business decision is to uninstall the affected plugin and replace it, especially if Contributor accounts exist or if multiple teams publish content.
Similar Attacks
Stored XSS vulnerabilities in WordPress plugins have been used in real-world campaigns to deface sites, inject spam, and compromise visitor trust. Examples include:
Elementor Pro vulnerability exploited in the wild (Wordfence)
Recent Comments