CVE-2026-1939 in Percent to Infograph Plugin
Summary
by MITRE • 02/14/2026
The Percent to Infograph plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `percent_to_graph` shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/19/2026
The Percent to Infograph plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2026-1939 affecting all versions through 1.0. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's `percent_to_graph` shortcode implementation. The flaw specifically targets user-supplied attributes that are processed without proper validation or sanitization, creating an attack surface where malicious code can be persistently stored within the WordPress environment. Security researchers have classified this issue as a stored XSS vulnerability, meaning that malicious scripts are not executed immediately upon submission but are instead stored on the server and executed whenever affected pages are accessed by unsuspecting users. The vulnerability is particularly concerning because it requires only contributor-level access or higher, making it accessible to users who already possess significant privileges within the WordPress administrative interface. This low privilege requirement significantly amplifies the potential impact as attackers can leverage existing user accounts with minimal additional effort to compromise the entire WordPress installation.
The technical exploitation of this vulnerability occurs through the manipulation of the `percent_to_graph` shortcode attributes, where attacker-controlled input is directly embedded into the plugin's output without appropriate sanitization measures. When an authenticated user with contributor privileges or higher creates or modifies content containing malicious script within the plugin's shortcode parameters, the script becomes permanently stored within the WordPress database. Subsequently, whenever any user accesses pages containing this stored malicious content, the injected scripts execute in the context of the victim's browser session. This stored nature of the vulnerability means that the malicious code persists even after the initial injection, creating a long-term threat that can affect multiple users over extended periods. The vulnerability directly maps to CWE-79, which defines Cross-Site Scripting as a weakness where untrusted data is incorporated into web page content without proper validation or escaping. The attack vector follows established patterns described in the ATT&CK framework under T1566, specifically targeting credential access through malicious web content. The vulnerability's impact extends beyond simple script execution as it can potentially enable more sophisticated attacks such as session hijacking, data exfiltration, or further privilege escalation within the WordPress environment.
The operational impact of CVE-2026-1939 represents a significant risk to WordPress installations utilizing the Percent to Infograph plugin, particularly in environments where multiple users have contributor-level access or higher. Organizations relying on WordPress for content management systems face potential exposure to persistent malicious code execution that can compromise user sessions and potentially lead to full system compromise. The vulnerability's exploitation requires minimal technical expertise, making it attractive to threat actors who may leverage it for broader attacks within compromised environments. Security administrators must consider the implications for user trust and data integrity, as the malicious scripts could be used to steal sensitive information, redirect users to malicious sites, or manipulate content displayed to authenticated users. The vulnerability also affects the plugin's overall security posture, potentially exposing other components of the WordPress ecosystem to additional attack vectors through the compromised shortcode functionality. Organizations with multiple contributors or users with elevated privileges face heightened risk, as the attack surface expands with each user who can create or modify content containing the vulnerable shortcode parameters.
Mitigation strategies for CVE-2026-1939 should prioritize immediate action through plugin updates to the latest available version that addresses the stored XSS vulnerability. Security administrators should implement comprehensive input validation and output escaping measures within the plugin's shortcode processing logic, ensuring that all user-supplied attributes undergo proper sanitization before being incorporated into web page content. The recommended approach includes applying the principle of least privilege by limiting contributor-level access to users who genuinely require these permissions, thereby reducing the potential attack surface. Additionally, organizations should implement Content Security Policy headers to provide an additional layer of protection against script execution, preventing unauthorized scripts from running even if the vulnerability is exploited. Regular security audits and monitoring of plugin installations should be conducted to identify and remediate similar vulnerabilities across the WordPress ecosystem. The mitigation process should also include user education regarding the risks of adding untrusted content to WordPress installations and the importance of maintaining updated security configurations. Organizations should establish incident response procedures specifically addressing stored XSS vulnerabilities to ensure rapid detection and remediation of similar threats within their WordPress environments.