CVE-2026-48968

Vulnerability

A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in the WordPress Master Slider plugin from version n/a through 3.10.8 [1]. Improper neutralization of input during web page generation allows an attacker to inject arbitrary JavaScript payloads that execute in the context of the victim's browser session [1].

Exploitation

Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a specially designed form [1]. An authenticated attacker with sufficient privileges (typically at least Contributor level) can craft a malicious input that, when rendered by the slider module, triggers XS-Shell code execution on the victim's browser [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any user who visits the compromised page. This could be used to redirect visitors to malicious sites, inject advertisements, steal session cookies, or perform other HTML/script injection attacks [1]. The attacker's scripts run with the privileges of the logged-in user viewing the page.

Mitigation

Patchstack recommends updating the plugin to version 3.10.9 or later, released on 2026-05-27 or shortly thereafter [1]. For Patchstack users, enabling auto-update for vulnerable plugins only is advised. Users unable to update immediately should consult their hosting provider or web developer for assistance [1].