CVE-2026-42653

Vulnerability

SliceWP versions through 1.2.6 are vulnerable to stored cross-site scripting due to improper neutralization of input during web page generation [1]. Attackers can inject arbitrary scripts into posts or pages, which are stored and executed when other users access the affected content.

Exploitation

An attacker with contributor-level privileges or higher can craft a malicious input that bypasses sanitization. The injected script is stored in the WordPress database and executed in the browser of any user viewing the affected page, including administrators. User interaction is required for the script to execute, such as clicking a link or visiting the page [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information [1]. The attack can be used in mass-exploit campaigns targeting thousands of websites.

Mitigation

Update SliceWP to version 1.2.7 or later, which fixes the vulnerability [1]. The vulnerability is listed as known to be exploited (KEV). If immediate update is not possible, consider applying a virtual patch through a web application firewall or consult your hosting provider [1].