Slideshow Gallery LITE <= 1.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'alwaysauto' Shortcode Attribute
Description
The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alwaysauto' shortcode attribute in all versions up to, and including, 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=1.8.5
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization and output escaping on the 'alwaysauto' shortcode attribute allows stored cross-site scripting."
Attack vector
An authenticated attacker with at least Contributor-level access can inject a malicious `alwaysauto` attribute value into the `[slideshow]` shortcode when creating or editing a post. Because the plugin fails to sanitize and escape this attribute, the injected JavaScript is stored in the database and executed in the browsers of any user who views the affected page. This is a classic Stored Cross-Site Scripting (XSS) attack [CWE-79].
Affected code
The vulnerability resides in the `embed()` method of the `SlideshowGallery` class (registered as the `[slideshow]` and `[tribulant_slideshow]` shortcode handlers). The `alwaysauto` shortcode attribute is not sanitized or escaped before being output, allowing stored XSS.
What the fix does
The advisory states that the vulnerability is due to insufficient input sanitization and output escaping on user-supplied attributes. The patch (version 1.8.6) should apply proper sanitization and escaping to the `alwaysauto` attribute before it is rendered. Without the patch, an attacker can inject arbitrary HTML and JavaScript via this attribute.
Preconditions
- authThe attacker must have a WordPress account with at least Contributor-level permissions.
- inputThe attacker must be able to insert or edit a post/page containing the `[slideshow]` shortcode.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- plugins.trac.wordpress.org/browser/slideshow-gallery/tags/1.8.5/slideshow-gallery.phpmitre
- plugins.trac.wordpress.org/browser/slideshow-gallery/tags/1.8.5/views/default/gallery.phpmitre
- plugins.trac.wordpress.org/browser/slideshow-gallery/trunk/slideshow-gallery.phpmitre
- plugins.trac.wordpress.org/browser/slideshow-gallery/trunk/views/default/gallery.phpmitre
- plugins.trac.wordpress.org/changesetmitre
- www.wordfence.com/threat-intel/vulnerabilities/id/55d842fc-a750-4b59-a1d6-b3bd427dfe79mitre
News mentions
0No linked articles in our index yet.