CVE-2026-1189
Stored XSS in LeadBI WordPress Plugin Allows Script Injection
Publication date: 2026-01-24
Last updated on: 2026-01-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| leadbi | leadbi_plugin | to 1.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the LeadBI Plugin for WordPress is a Stored Cross-Site Scripting (XSS) issue that occurs via the 'form_id' parameter of the 'leadbi_form' shortcode. Due to insufficient input sanitization and output escaping on user-supplied attributes, authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the injected page.
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access to inject malicious scripts into WordPress pages. These scripts can execute in the context of users visiting the affected pages, potentially leading to theft of user credentials, session hijacking, defacement, or other malicious actions that compromise site integrity and user security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying the presence of the vulnerable LeadBI Plugin for WordPress (version 1.7 or earlier) and monitoring for suspicious usage of the 'form_id' parameter in the 'leadbi_form' shortcode that could contain malicious scripts. You can scan your WordPress installation to check if the LeadBI plugin is installed and its version. For example, use the following command to list installed plugins and their versions via WP-CLI: `wp plugin list --format=json | jq '.[] | select(.name=="leadbi")'`. Additionally, monitoring HTTP requests or logs for unusual or suspicious 'form_id' parameter values in pages using the shortcode may help detect exploitation attempts. However, no specific detection commands are provided in the resources. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing or disabling the LeadBI Plugin for WordPress if it is installed, especially versions up to and including 1.7, as these are vulnerable. Since the plugin is no longer available for download as of January 22, 2026, and has no active installations, ensuring it is not active on your site is critical. Additionally, restrict Contributor-level access or higher to trusted users only, as the vulnerability requires authenticated users with at least Contributor privileges to exploit. Monitoring and sanitizing user inputs related to the 'form_id' parameter in the shortcode can also help. Applying any available patches or updates from the plugin author, if released, is recommended. [2]