CVE-2026-1401 - Vulnerability Details

- Tune Library <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via CSV Import

Description

The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The vulnerability exists because the CSV import functionality lacks authorization checks and doesn't sanitize imported data, which is later rendered without escaping through the [tune-library] shortcode.

Published: 2026-02-06

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Tune Library plugin for WordPress is vulnerable to stored cross‑site scripting via the CSV import feature. The import routine does not perform proper input sanitization or output escaping, and because it lacks authorization checks, a user with Subscriber or higher privileges can inject malicious scripts that are later rendered through the [tune-library] shortcode. This flaw enables an attacker to persistently embed arbitrary JavaScript that will execute when any user visits the injected page, compromising the integrity of the affected site and potentially exposing sensitive data.

Affected Systems

All versions of the Tune Library plugin up to and including 1.6.3 are impacted. The vulnerability affects installations of the WordPress plugin released by jackdewey, and any site that has not been updated beyond version 1.6.3.

Risk and Exploitability

The CVSS v3.1 score of 6.4 indicates moderate severity. The EPSS score is less than 1 %, suggesting a low probability of widespread exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with Subscriber-level access or higher, and the attacker must use the CSV import functionality to inject payloads that are later displayed without escaping. Because the flaw is stored, once injected, the malicious code will affect all users who view the compromised content.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

jackdewey

Tune Library

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.6.3

No data.

Vendor	Product	Confidence	Versions
Jackdewey	Tune Library	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Tune Library plugin to a version newer than 1.6.3, which contains the necessary input filtering and authorization checks.
If an upgrade is not immediately possible, disable or remove the CSV import feature for Subscriber‑level accounts, and allow upload only for administrators.
Implement a content security policy that restricts script execution from user‑supplied content on the site to mitigate the impact of any residual unsanitized data.

Generated by OpenCVE AI on April 15, 2026 at 18:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/tune-library.php#L219
https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/tune-library.php#L235
https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/writeNodes.php#L113
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3451457%40tune-library&new=3451457%40tune-library&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/cd600810-b1bc-4025-b441-5c90da7240de?source=cve

History

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jackdewey Jackdewey tune Library Wordpress Wordpress wordpress
Vendors & Products		Jackdewey Jackdewey tune Library Wordpress Wordpress wordpress

Fri, 06 Feb 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Feb 2026 07:00:00 +0000

Type	Values Removed	Values Added
Description		The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The vulnerability exists because the CSV import functionality lacks authorization checks and doesn't sanitize imported data, which is later rendered without escaping through the [tune-library] shortcode.
Title		Tune Library <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via CSV Import
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/tune-library.php#L219 https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/tune-library.php#L235 https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/writeNodes.php#L113 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3451457%40tune-library&new=3451457%40tune-library&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/cd600810-b1bc-4025-b441-5c90da7240de?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Jackdewey Tune Library

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-06T06:46:31.276Z

Updated: 2026-04-08T17:24:06.677Z

Reserved: 2026-01-23T21:45:27.335Z

Link: CVE-2026-1401

Vulnrichment

Updated: 2026-02-06T19:25:21.617Z

NVD

Status : Deferred

Published: 2026-02-06T07:16:11.563

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1401

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T19:00:12Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object