CVE-2026-1899
Description
The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aps_slider shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on the 'post_type' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Any Post Slider WordPress plugin through 1.0.4 allows authenticated attackers with Contributor-level access to inject arbitrary scripts via the 'post_type' attribute.
The Any Post Slider plugin for WordPress versions up to and including 1.0.4 contains a Stored Cross-Site Scripting vulnerability in its aps_slider shortcode. The post_type attribute lacks proper input sanitization and output escaping, enabling attackers to inject arbitrary web scripts.
To exploit this vulnerability, an attacker must be authenticated with at least Contributor-level access on the WordPress site. They can inject malicious script code via the shortcode attribute, which is then stored and executed when any user visits a page displaying the slider.
The impact includes execution of arbitrary JavaScript in the context of a logged-in user's session, potentially leading to session hijacking, site defacement, or redirection to malicious sites. The plugin has been temporarily closed as of April 6, 2026, pending a full review [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.0.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/any-post-slider/tags/1.0.4/public/partials/any-post-slider-no_content.phpnvd
- plugins.trac.wordpress.org/browser/any-post-slider/trunk/public/partials/any-post-slider-no_content.phpnvd
- wordpress.org/plugins/any-post-slidernvd
- www.wordfence.com/threat-intel/vulnerabilities/id/562f194f-1f32-4de4-8074-84580f653bdbnvd
News mentions
0No linked articles in our index yet.