Urgent Security Advisory: Stored XSS in QuestionPro Surveys (≤ 1.0) — What WordPress Site Owners Must Do Now

Summary: A stored cross-site scripting vulnerability (CVE-2026-1901) affecting the QuestionPro Surveys WordPress plugin versions ≤ 1.0 allows authenticated contributor+ users to store malicious content via shortcode attributes. This advisory explains the risk, detection methods, immediate mitigations, developer fixes, and incident response actions. Written with a Hong Kong security practitioner perspective: pragmatic, direct, and operationally focused.

Author: Hong Kong Security Expert  |  Date: 2026-02-13

Table of contents

• Quick summary and risk snapshot
• How this vulnerability works (high level, no exploit code)
• Who is at risk and realistic impact scenarios
• Detection: signs of compromise and queries to run
• Immediate mitigations for WordPress site owners
• Developer guidance: secure fixes and sanitization best practices
• WAF / virtual patching guidance (vendor-agnostic)
• Operational hardening and long-term controls
• Incident response checklist and recovery
• Frequently asked questions
• Recommended checklist (quick reference)
• Conclusion

Quick summary and risk snapshot

• Vulnerability: Authenticated (Contributor+) Stored Cross‑Site Scripting (XSS) via shortcode attributes in QuestionPro Surveys plugin (≤ 1.0). CVE-2026-1901.
• Severity: Medium (CVSS ~6.5 reported). Context matters: contributor-level access is common on multi-author sites.
• Exploitation requirements: An authenticated account with Contributor or higher privileges that can create or edit content containing shortcodes.
• Impact: Stored XSS can execute scripts in the browsers of visitors or administrators — session theft, UI redress, or higher-privilege takeovers are possible if an admin/editor views the compromised content.
• Fix status at disclosure: No official plugin update was available at time of disclosure. Apply mitigations below until a vendor patch is published.

How this vulnerability works (overview — no exploit details)

WordPress shortcodes accept attributes and return HTML for display. If a plugin outputs attribute values directly into the page without proper sanitization or context-aware escaping, an authenticated user can insert script or HTML into those attributes. Since the content is stored (post content, postmeta, or plugin options), this becomes a stored XSS: it executes later when a page is rendered.

Key points:

• The attacker must be authenticated as Contributor or higher on the target site.
• Stored XSS is persistent and can affect multiple users over time.
• The vulnerability typically stems from missing esc_attr(), esc_html(), wp_kses(), or similar escaping at output.

Who is at risk and realistic impact scenarios

At-risk sites:

• Any WordPress site with QuestionPro Surveys installed and active (≤ 1.0).
• Sites that permit contributor-level accounts (guest authors, community contributors).
• Sites where editors or admins preview contributor submissions in the admin UI.

Realistic scenarios:

1. A contributor creates a post containing a survey shortcode with malicious attributes. An administrator previews the post in the admin interface — the script runs in the admin’s browser, enabling session theft or malicious actions.
2. A contributor updates widget content, postmeta, or survey settings that are displayed on pages visited by editors/admins, causing scripts to execute when those pages are viewed.
3. Social engineering is used to lure an editor/admin into previewing a compromised page, triggering higher-privilege impact.

Detection: signs your site may be compromised

Proactively search for suspicious content. Indicators include occurrences of