CVE-2021-47922
Description
Stored XSS in Soliloquy 2.6.2 title parameter allows authenticated attackers to inject scripts that execute on admin and frontend views.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Soliloquy 2.6.2 title parameter allows authenticated attackers to inject scripts that execute on admin and frontend views.
Vulnerability
Slider by Soliloquy version 2.6.2 contains a stored cross-site scripting (XSS) vulnerability in the slider title parameter [3]. Authenticated users with the ability to create or edit sliders can inject arbitrary JavaScript into the title field. The payload is stored in the database and executed when any user views the slider on both administrative and public-facing pages. The vulnerability is classified as CWE-79 [3].
Exploitation
An attacker must be an authenticated WordPress user with sufficient privileges to create or edit sliders. The attacker creates a new slider (or edits an existing one) and enters a malicious script in the title field, e.g., `` [4]. After saving and publishing the slider, the script is triggered when the slider is viewed. Accessing the slider edit page or the frontend slider display will execute the injected script [4].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack affects both administrators viewing the slider in the admin panel and end users browsing the live site [3][4].
Mitigation
As of the publication date, no official patch has been released for this vulnerability. Users should consider disabling the plugin or restricting slider editing capabilities to trusted users only. Monitor vendor updates for a fixed version.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =2.6.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of user-controllable input in the title field before it is stored and rendered in web pages."
Attack vector
An authenticated attacker with the ability to create or edit sliders injects a JavaScript payload into the title field (e.g., `
Affected code
The vulnerability exists in the Slider by Soliloquy plugin version 2.6.2 for WordPress. The title parameter of slider posts is not sanitized before being stored and later rendered in the browser. The flaw affects both the administrative edit page (`wp-admin/post.php`) and the frontend slider display page.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not describe a vendor fix. To remediate, the plugin should properly sanitize and escape the title field output using WordPress functions such as `esc_html()` or `wp_kses_post()` to prevent JavaScript execution in the browser.
Preconditions
- authAttacker must have an authenticated WordPress user account with permission to create or edit Soliloquy slider posts.
- configThe Slider by Soliloquy plugin version 2.6.2 must be installed and activated.
- networkNo special network position required; the attacker submits the payload via the WordPress admin panel over HTTP/HTTPS.
Reproduction
1. Install and activate the Slider by Soliloquy 2.6.2 plugin. 2. Open Soliloquy and use the "Add New" button to create a new slider post. 3. Enter a payload such as `
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.