cleantalk
Vulnerabilities and Security Researches

Tune Library, CVE-2026-1401

CVE, Research URL

CVE-2026-1401

Home page URL

Security reports for Tune Library

Application

Tune Library

Published on
Feb 06, 2026
Research Description
The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The vulnerability exists because the CSV import functionality lacks authorization checks and doesn't sanitize imported data, which is later rendered without escaping through the [tune-library] shortcode.
Affected versions
max 1.6.4.
Status
vulnerable
Previous vulnerability researches
Easy Author Image (79fa8f492d7f28c4425b1902bfd74de74f041e65) , Jun 07, 2024
Easy Author Image (CVE-2026-1373) , Apr 15, 2026
New vulnerability
AMP Enhancer – Compatibility Layer for Official AMP Plugin (CVE-2026-2027) , Apr 16, 2026
WaveSurfer-WP (CVE-2026-1909) , Apr 16, 2026
xmlrpc attacks blocker (CVE-2026-2502) , Apr 16, 2026
Templately – Gutenberg & Elementor Template Library: 5000+ Free & Pro Ready Templates & Cloud! (CVE-2026-0831) , Apr 16, 2026
iRobots.txt SEO (CVE-2025-68840) , Apr 16, 2026