Attack Vectors

Percent to Infograph (slug: percent-to-infograph) has a Medium severity vulnerability (CVSS 6.4) identified as CVE-2026-1939. The issue affects all versions up to and including 1.0.

The primary attack path requires an attacker to be an authenticated WordPress user with at least Contributor access. By adding or editing content that uses the percent_to_graph shortcode and supplying malicious shortcode attributes, the attacker can store harmful script content inside a page or post.

Because the injected script is stored, it can run later when other users view the affected page—potentially including executives, marketing staff, site administrators, and customers—without them doing anything unusual beyond loading the page.

Security Weakness

This vulnerability is a Stored Cross-Site Scripting (Stored XSS) weakness caused by insufficient input sanitization and output escaping of user-supplied shortcode attributes in the percent_to_graph shortcode. In business terms, the plugin does not consistently treat user-provided content as untrusted before displaying it on the site.

Even though the attacker must be logged in, Contributor-level access is commonly granted for content workflows. That makes this risk particularly relevant for organizations with multiple authors, agencies, freelancers, or distributed teams publishing content.

At the time of writing, there is no known patch available. Risk decisions should be based on your organization’s tolerance for exposure and the business criticality of the affected site.

Technical or Business Impacts

Brand and trust risk: A stored script can alter page content, display misleading messages, or redirect visitors—damaging brand credibility and campaign performance, especially on high-traffic landing pages.

Account and operational risk: If an administrator or staff member views an injected page while logged in, the script may be able to take actions within their browser session, potentially leading to unauthorized changes, publishing of rogue content, or other workflow disruption.

Compliance and privacy exposure: Depending on what site data is accessible in a user’s browser session and what the injected script does, there may be downstream compliance implications. Compliance teams should assess whether affected pages are part of regulated workflows, customer data collection, or critical disclosures.

Recommended mitigation posture (given no patch): Consider uninstalling Percent to Infograph and replacing it with a safer alternative. If removal is not immediately feasible, reduce exposure by limiting who can create/edit content containing the percent_to_graph shortcode, reviewing recent content changes for suspicious shortcode usage, and strengthening editorial controls for Contributor-level accounts.

Similar Attacks

Stored XSS has repeatedly been used to compromise WordPress sites through vulnerable plugins, particularly when attackers can inject scripts into content that later gets viewed by administrators or the public. Examples include:

CVE-2021-24335 (WP HTML Mail) — an example of a WordPress plugin Stored XSS vulnerability impacting administrative interfaces and site trust.

CVE-2022-21661 (WordPress core XSS) — an example of XSS risk in the WordPress ecosystem with potential security and business impact.