Attack Vectors

The vulnerability CVE-2026-1901 affects the QuestionPro Surveys WordPress plugin (slug: questionpro-surveys) in versions up to and including 1.0 and is rated Medium severity (CVSS 6.4). It is a stored cross-site scripting issue that occurs through attributes in the questionpro shortcode.

In practical terms, an attacker needs an authenticated WordPress account with Contributor-level access or higher. If that access is obtained (through a compromised user, insider misuse, or overly broad permissions), the attacker can place a malicious shortcode into content that gets saved to your site. The injected script can then run later when someone visits the affected page.

This is especially relevant for organizations where multiple staff, agencies, or partners can create or edit posts/pages, or where content approvals allow Contributor-authored content to be published by editors without closely reviewing embedded shortcodes.

Security Weakness

According to the disclosed details, QuestionPro Surveys versions ≤ 1.0 have insufficient input sanitization and output escaping for user-supplied shortcode attributes. This means the plugin does not properly prevent untrusted content from being stored and later rendered in a way that browsers interpret as executable script.

Because this is stored XSS, the risk is not limited to a single click or session. The malicious content can persist on your site and repeatedly execute for every visitor who loads the affected page—until it is found and removed.

There is no known patch available at this time. Organizations should make a risk-based decision on mitigation, including whether to uninstall the plugin and replace it, as appropriate for their governance and compliance requirements.

Technical or Business Impacts

For marketing directors and business owners, the business impact of a Medium-severity stored XSS often centers on trust, brand integrity, and operational disruption. If exploited, attackers may be able to alter what site visitors see, inject unwanted content, or route users to fraudulent pages—creating reputational damage and undermining campaign performance.

From a risk and compliance perspective, this can also increase exposure to incidents involving unauthorized changes to public web content, potential misuse of user sessions, and customer complaints. Even if the underlying server is not “hacked,” visible defacement or malicious redirects on a corporate site can trigger executive escalation, legal review, and incident response costs.

Since there is no vendor-provided fix currently noted, mitigation may require operational steps such as restricting who can add shortcodes, tightening Contributor permissions, increasing content review controls, and considering removal/replacement of the affected plugin based on your risk tolerance and business-criticality of the survey functionality.

Similar Attacks

Stored cross-site scripting is a common pattern in WordPress and web applications when user input is not properly handled. The following public examples illustrate how XSS issues can be used to impact organizations and website visitors:

CISA Known Exploited Vulnerabilities (KEV) Catalog updates (periodic alerts often include actively exploited XSS and web application issues that can lead to real-world impact).

Acunetix: Stored XSS overview and business risks (a practical explanation of how stored XSS can be abused to affect users and organizations).

OWASP: Cross Site Scripting (XSS) (widely referenced industry guidance on how XSS works and why it matters).