CVE Catalog

CVE-2026-8900

MediumCVSS 6.4
Published: Updated: Translated: NVD NIST

Summary

The Simple SEO Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via Shortcode Attributes in all versions up to and including 1.2.8 due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Risk Assessment

Attackers can inject malicious scripts, posing a risk of user data theft and session hijacking of administrators. This can lead to serious security breaches within the organization.

Recommendation

It is recommended to update the plugin to the latest version to mitigate this vulnerability. Additionally, conducting a security audit of existing content to detect potential malicious scripts is advisable.

Original NVD description (English source)

The Simple SEO Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. WordPress KSES does not strip malicious shortcode attribute values on post save, allowing contributor-level users to persist payloads that execute for any visitor, including administrators reviewing the post.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS