Description
The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fusedesk_newcase shortcode in all versions up to, and including, 6.8 due to insufficient input sanitization and output escaping on the 'emailtext' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-21
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

An attacker with Contributor level or higher credentials can insert malicious JavaScript into the \u2018emailtext\u2019 attribute of the fusedesk_newcase shortcode. When a page containing this shortcode is viewed, the unsanitized script executes in the visitor’s browser, enabling session hijacking, data theft, or site defacement. The weakness is a classic example of CWE‑79, reflecting improper output filtering.

Affected Systems

All WordPress installations that use the FuseDesk plugin from Jeremy Shapiro up to and including version 6.8 are affected. The vulnerability is present in every release of the plugin distributed through that version threshold, regardless of other plugins or themes.

Risk and Exploitability

With a CVSS score of 6.4 this vulnerability is considered medium‑high. The EPSS score is not available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog, so exact exploitation likelihood is uncertain. The requirement for authenticated Contributor access means that sites with many contributors or with permissive role configurations are at higher risk. An attacker can create or edit a case to embed the malicious payload and then lure users to view that page, where the script runs with the visitor’s credentials.

Generated by OpenCVE AI on March 21, 2026 at 07:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest FuseDesk plugin release that removes the vulnerable shortcode handling.
  • If updating is not immediately possible, restrict the use of the fusedesk_newcase shortcode to trusted administrators or temporarily disable it.
  • Reduce Contributor role privileges to only those essential capabilities and monitor edits to the emailtext field.
  • Deploy site‑wide security headers, such as Content‑Security‑Policy, to mitigate the impact of any accidental XSS delivery.

Generated by OpenCVE AI on March 21, 2026 at 07:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Jeremyshapiro
Jeremyshapiro fusedesk
Wordpress
Wordpress wordpress
Vendors & Products Jeremyshapiro
Jeremyshapiro fusedesk
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fusedesk_newcase shortcode in all versions up to, and including, 6.8 due to insufficient input sanitization and output escaping on the 'emailtext' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title FuseDesk <= 6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'emailtext' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Jeremyshapiro Fusedesk
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:40.520Z

Reserved: 2026-02-04T15:39:06.887Z

Link: CVE-2026-1914

cve-icon Vulnrichment

Updated: 2026-03-23T15:53:06.460Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T04:16:56.617

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-1914

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:41:23Z

Weaknesses