CVE-2026-1261
Published: 10 March 2026
Summary
CVE-2026-1261 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-1261 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the MetForm Pro plugin for WordPress. It affects the Quiz feature in all versions up to and including 3.9.6 due to insufficient input sanitization and output escaping. Published on 2026-03-10, the vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, no privileges required, and no user interaction needed. By submitting malicious input through the Quiz feature, attackers inject arbitrary web scripts into pages, which then execute in users' browsers whenever those pages are accessed, enabling potential theft of session data or further compromise.
Advisories and code references highlight specific issues in the plugin's loader.php file at lines 69, 85, and 121 in version 3.9.5. Mitigation details are available in the Wordfence threat intelligence report and the plugin roadmap on wpmet.com/plugin/metform/roadmaps/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10479
Vulnerability details
The MetForm Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Quiz feature in all versions up to, and including, 3.9.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to…
more
inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables remote exploitation of web application (T1190) and arbitrary JavaScript execution in victim browsers (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to the Quiz feature, blocking the unsanitized malicious payloads that enable stored XSS.
Mandates output filtering/escaping on rendered pages, preventing injected scripts from executing in user browsers.
Provides malicious-code detection and blocking mechanisms that can catch or neutralize the web scripts injected via the vulnerable plugin.