CVE-2026-24626

Vulnerability

Overview The Logo Slider plugin for WordPress (logo-slider-wp) versions up to and including 5.1.1 contain a stored cross-site scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be stored and later executed in the context of an administrator's or visitor's browser session [1].

Exploitation

Conditions Exploitation requires an authenticated user with at least contributor-level privileges to inject the payload through a vulnerable input field. The attacker does not need direct access to the server; they can submit the malicious payload via the plugin's admin interface. Successful execution depends on a privileged user (e.g., admin) subsequently viewing the affected page, which triggers the stored script [1].

Impact

An attacker who successfully exploits this vulnerability can inject arbitrary HTML and malicious scripts, such as redirects, advertisements, or other HTML payloads. These scripts execute when any visitor (including site, potentially leading to session hijacking, defacement, or further compromise of the WordPress installation [1].

Mitigation

The vendor has not released a patched version for this specific CVE as of the publication date. Users are strongly advised to update the plugin to the latest available. If an update is not possible, consider disabling the plugin or implementing a web application firewall (WAF) rule to block XSS payloads. The vulnerability is listed as requiring user interaction, but the risk is elevated due to its use in mass-exploit campaigns [1].