CVE-2026-1914 in FuseDesk Plugin
Summary
by MITRE • 03/21/2026
The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fusedesk_newcase shortcode in all versions up to, and including, 6.8 due to insufficient input sanitization and output escaping on the 'emailtext' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/21/2026
The FuseDesk plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2026-1914 affecting versions through 6.8. This security flaw resides within the plugin's fusedesk_newcase shortcode implementation and represents a significant threat to WordPress environments that utilize this plugin. The vulnerability stems from inadequate input sanitization and insufficient output escaping mechanisms specifically targeting the 'emailtext' attribute parameter. Attackers exploiting this weakness can manipulate the plugin's functionality to inject malicious scripts that persist within the application's database, making the vulnerability particularly dangerous as it allows for long-term persistence and widespread impact.
The technical nature of this vulnerability aligns with CWE-79 which categorizes cross-site scripting flaws as weaknesses in input validation and output escaping. This particular implementation flaw enables authenticated attackers who possess Contributor-level access or higher privileges to execute malicious code within the context of other users' browsers. The stored nature of the vulnerability means that once injected, the malicious scripts remain embedded in the plugin's data storage and will execute automatically whenever affected pages are accessed by any user with appropriate permissions. This characteristic transforms what might initially appear as a limited injection vector into a persistent threat that can compromise multiple users over time.
The operational impact of CVE-2026-1914 extends beyond simple script execution to potentially enable more sophisticated attacks including session hijacking, credential theft, and data exfiltration. Since the vulnerability requires only Contributor-level access or higher, it represents a significant risk in environments where multiple users have varying permission levels, as attackers can leverage this privilege to establish persistent backdoors. The attack surface is particularly concerning in business environments that rely on WordPress for customer relationship management, as the injected scripts could access sensitive customer data or manipulate the plugin's functionality to redirect users to malicious sites. This vulnerability directly maps to attack techniques described in the MITRE ATT&CK framework under the T1566 category for social engineering and T1059 for command and scripting interpreter, as it enables attackers to execute malicious code through web-based interfaces.
Mitigation strategies for this vulnerability should prioritize immediate patching of the FuseDesk plugin to the latest version that addresses the input sanitization and output escaping issues. Organizations should implement strict input validation controls that filter and sanitize all user-provided data before storage, particularly focusing on attributes that are rendered in web contexts. The principle of least privilege should be enforced to limit the ability of low-privilege users to inject content that could affect other users. Additionally, regular security audits of WordPress plugins should include verification of input sanitization practices and output escaping mechanisms. Network monitoring solutions should be configured to detect suspicious script injection patterns, and web application firewalls should be deployed to filter malicious payloads before they can be executed. Security teams should also consider implementing content security policies to limit script execution capabilities and establish regular vulnerability scanning procedures to identify similar issues in other installed plugins.