CVE-2026-1634
Description
The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated reflected XSS in Subitem AL Slider for WordPress via unsanitized `$_SERVER['PHP_SELF']`, patched by plugin closure.
Overview
The Subitem AL Slider plugin for WordPress, version 1.0.0 and all earlier versions, is vulnerable to reflected cross-site scripting (XSS). The root cause is insufficient input sanitization and output escaping on the $_SERVER['PHP_SELF'] parameter, allowing arbitrary script injection.
Exploitation
An unauthenticated attacker can craft a malicious link containing the $_SERVER['PHP_SELF'] value modified to include JavaScript payloads. The victim must be tricked into clicking the link — no authentication or special privileges are needed, only a user interaction that triggers the reflection. The attack surface is any page where the plugin outputs the raw server variable.
Impact
Successful exploitation lets the attacker execute arbitrary web scripts in the victim's browser session. This can lead to session hijacking, defacement, credential theft, or redirection to attacker-controlled sites. The CVSS v3 base score of 6.1 (Medium) reflects the requirement for user interaction to achieve impact.
Mitigation
The plugin has been closed on the WordPress plugin directory as of February 5, 2026, citing a security issue [1]. No patched version exists; the only remediation is to remove the plugin. Administrators should verify the plugin is not present and scan for any residual malicious code.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/subitem-al-slider/tags/1.0.0/templates/tab1_block1.tplnvd
- plugins.trac.wordpress.org/browser/subitem-al-slider/trunk/templates/tab1_block1.tplnvd
- wordpress.org/plugins/subitem-al-slider/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/4bfeff72-27de-46a9-b947-f60255b5d062nvd
News mentions
0No linked articles in our index yet.