MEDIUM 6.4

CVE-2026-8900: Simple SEO Slideshow Plugin Stored XSS Vulnerability

The Simple SEO Slideshow WordPress plugin has a security flaw that allows authenticated users with contributor-level permissions or higher to inject malicious scripts into pages. When someone visits a page containing this injected code, the script executes in their browser—including for administrators. The vulnerability exists because the plugin does not properly filter user input when processing shortcode attributes, even though WordPress has built-in protections that should catch this. All versions through 1.2.8 are affected.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

The Simple SEO Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. WordPress KSES does not strip malicious shortcode attribute values on post save, allowing contributor-level users to persist payloads that execute for any visitor, including administrators reviewing the post.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-8900 is a Stored Cross-Site Scripting (XSS) vulnerability in the Simple SEO Slideshow plugin arising from insufficient input sanitization and output escaping of shortcode attributes. The plugin fails to properly validate and escape attribute values before storing them in post content. While WordPress KSES filtering is intended to strip dangerous content on post save, the plugin's shortcode implementation allows malicious payloads to persist in shortcode attributes where they bypass KSES restrictions. When the page renders, these attributes are output without escaping, causing arbitrary JavaScript execution in the context of the affected page. The vulnerability requires authenticated access at contributor level or above, meaning it is primarily a post-authentication privilege escalation vector where contributors can compromise content integrity and attack administrators.

Business impact

This vulnerability creates a lateral privilege escalation path within WordPress installations. Contributors—typically lower-privilege users meant only to draft content—can inject persistent malicious scripts that execute for all visitors, including site administrators and other privileged users. An attacker with contributor access could steal administrator session cookies, perform unauthorized administrative actions, modify site content, or capture sensitive information viewed on the affected page. For multi-author WordPress sites, this represents a significant trust boundary violation. Organizations relying on contributor-level access controls to restrict user capabilities will find those controls ineffective against this attack.

Affected systems

All versions of the Simple SEO Slideshow plugin up to and including version 1.2.8 are vulnerable. The vulnerability affects WordPress installations where this plugin is active and where users have been granted contributor-level access or higher. Organizations should verify the current version of this plugin in their WordPress environments and determine how many contributors or editors have access to the affected sites.

Exploitability

Exploiting this vulnerability requires valid WordPress authentication credentials with contributor-level access or above. No special tools or advanced techniques are needed; an attacker with legitimate contributor status can inject malicious shortcode attributes through the normal page/post editing interface. The injected payload persists in the database and executes automatically whenever any user views the affected page, requiring no additional user interaction. This makes it highly exploitable within organizations where contributor accounts are distributed or where account compromise is possible.

Remediation

Update the Simple SEO Slideshow plugin to a version that properly sanitizes and escapes shortcode attributes. Verify the patched version against the official plugin repository. In the interim, organizations should audit who has contributor-level or higher access and consider temporarily restricting these permissions to trusted users only. Review post content and post revisions for suspicious shortcode attributes. Consider implementing additional security monitoring on user-created content, particularly in multiauthor environments.

Patch guidance

Check the official Simple SEO Slideshow plugin repository or the vendor's advisory for the patched version number that addresses this vulnerability. Update the plugin through the WordPress admin dashboard once a secure version is available. Always test updates in a staging environment before applying to production. If no patch is yet available at the time of discovery, consider temporarily disabling the plugin or restricting contributor access until a fix is released.

Detection guidance

Search post content and post revisions for the Simple SEO Slideshow shortcode with suspicious or obfuscated attribute values. Common XSS payloads include javascript: URLs, event handlers (onload, onclick), or base64-encoded script tags within attributes. Monitor WordPress audit logs and post revision history for unexpected modifications to pages containing this shortcode. Use Web Application Firewalls (WAF) to detect and block requests containing common XSS patterns in POST requests to wp-admin/post.php. Security plugins that monitor shortcode usage or content changes may also flag suspicious activity.

Why prioritize this

This vulnerability merits prompt attention because it enables authenticated users to escalate privilege and compromise content integrity across an entire site. Although it requires contributor-level access, many WordPress installations distribute such accounts to clients, agencies, or team members. The stored nature of the XSS means the attack is persistent and affects all future visitors, including high-value targets like administrators. The CVSS score of 6.4 (MEDIUM) reflects the authentication requirement, but the real-world risk in multiauthor environments is often higher than the base score suggests.

Risk score, explained

The CVSS v3.1 score of 6.4 (MEDIUM) reflects an attack that requires network access and authentication (PR:L for contributor level) but causes no service disruption (A:N) and affects data confidentiality and integrity (C:L, I:L). The scope is changed (S:C) because the impact affects users beyond the attacker themselves—in this case, any site visitor. The score appropriately captures the privilege escalation and persistence aspects, though organizations should consider their own context: multiauthor sites with many contributors face elevated risk, while single-author or tightly controlled environments face lower risk.

Frequently asked questions

Can an unauthenticated attacker exploit this vulnerability?

No. The vulnerability requires valid WordPress authentication credentials with at least contributor-level access. An attacker must have a legitimate user account on the WordPress site or must compromise an existing contributor account.

Does WordPress KSES protect against this attack?

WordPress KSES filtering is intended to strip malicious content, but in this case, the plugin bypasses those protections by storing malicious payloads in shortcode attributes in a way that KSES does not catch on post save. The vulnerability stems from the plugin's failure to properly escape attribute values when rendering the shortcode.

Will this vulnerability affect my site if no one uses the Simple SEO Slideshow plugin?

No. If the plugin is not installed or is not active, your site is not affected by this CVE. You can verify plugin status in the WordPress admin dashboard under Plugins.

What is the difference between this vulnerability and typical WordPress vulnerabilities?

This vulnerability specifically requires contributor-level access, making it a post-authentication privilege escalation. Traditional WordPress plugin vulnerabilities may be exploitable by unauthenticated users. This increases the barrier to exploitation but remains critical in multiauthor environments where contributors are common.

This analysis is provided for informational purposes and represents the state of knowledge as of the publication date. Always verify patch availability and version numbers directly with the official plugin repository or vendor advisory before applying updates. Exploit details and proof-of-concept code are not included in this analysis. Organizations should conduct their own risk assessment based on their deployment, user permissions, and business context. This information does not constitute professional security advice or legal guidance. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).