CVE-2026-8866
Description
The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'googleslides' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes (userid, albumid, authkey, imgmax, maxresults, random, caption, albumlink, time, and fadespeed) in the googleslides_handler() function, which interpolates the attribute values directly into single-quoted HTML attributes without using esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in jQuery googleslides plugin <=1.3 via unsanitized shortcode attributes, allowing authenticated contributors to inject arbitrary scripts.
Vulnerability
The jQuery googleslides plugin for WordPress, in all versions up to and including 1.3, contains a Stored Cross-Site Scripting (XSS) vulnerability in the googleslides_handler() function (found in init.php). The function defines default values for attributes such as userid, albumid, authkey, imgmax, maxresults, random, caption, albumlink, time, and fadespeed, then merges them with user-supplied attributes via shortcode_atts() [1][2]. However, these attribute values are interpolated directly into single-quoted HTML attributes without using esc_attr(), meaning that an attacker can inject malicious JavaScript through any of these parameters in the [googleslides] shortcode. No other configuration changes are required to reach the vulnerable code path beyond adding the shortcode to a post or page.
Exploitation
An attacker must have at least Contributor-level access to the WordPress site (i.e., the ability to create or edit posts and pages that accept shortcodes). The attacker embeds the [googleslides] shortcode in a post and supplies a crafted attribute value, such as userid=' onfocus='alert(1)' autofocus=', which, when the shortcode is rendered, breaks out of the single-quoted HTML attribute context and injects an event handler. No user interaction beyond visiting the affected page is required; the injected script executes automatically when the page loads (e.g., via an onload or onfocus event). Multiple attributes can be used as injection vectors [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any victim user’s browser when they view the compromised page. This can lead to session hijacking, theft of cookies or authentication tokens, defacement, redirection to malicious sites, or phishing attacks within the trusted WordPress environment. Since the injected script is stored in the database, the attack persists across visits and can affect all users, including administrators.
Mitigation
The plugin developer has not released a patched version as of the publication date (2026-05-27). Users should disable or remove the plugin if it is not essential, as the version 1.3 is the latest and remains vulnerable. No workaround is available beyond removing the shortcode from all pages and ensuring no untrusted users have contributor-level access. The vulnerability is not currently listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.3+ 1 more
- (no CPE)range: <=1.3
- (no CPE)range: <=1.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.