CVE-2026-1189

Vulnerability

Overview The LeadBI Plugin for WordPress versions up to and including 1.7 contain a Stored Cross-Site Scripting (XSS) vulnerability. The flaw resides in the leadbi_form shortcode, where the form_id parameter is not properly sanitized or escaped before being output. This allows authenticated users with at least Contributor-level access to inject arbitrary web scripts that execute when other users view the affected page [1].

Exploitation

Conditions An attacker must have a WordPress account with Contributor privileges or higher. The attacker can then create or edit a post or page containing the vulnerable shortcode with a malicious form_id value containing JavaScript. No additional authentication is required for the victim; any user visiting the compromised page will trigger the stored script [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive data theft. The attack surface. The vulnerability is rated Medium (CVSS 6.4 CVSS v3, reflecting the need for authenticated access but the potential for widespread impact once injected.

Mitigation

The LeadBI plugin has been closed as of January 22, 2026, due to this security issue and is no longer available for download [1]. Users should remove the plugin entirely from their WordPress installations. No patch is available since the plugin is discontinued.