VYPR
← All advisories
Medium severity6.4NVD Advisory· Published May 27, 2026

CVE-2026-8873

CVE-2026-8873

Description

The Content Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Content Slideshow WordPress plugin ≤2.4.1 suffers from stored XSS via shortcode attributes, allowing contributor+ attackers to inject arbitrary scripts.

Vulnerability

The Content Slideshow plugin for WordPress (versions up to and including 2.4.1) contains a stored cross-site scripting vulnerability in its shortcode attributes. The content_slideshow_get_embed function in slideshow-widget-shortcode.php [1][2] fails to properly sanitize user-supplied attributes such as size, year, month, mode, and captions, allowing injection of malicious web scripts.

Exploitation

An authenticated attacker with at least Contributor-level access can insert a shortcode (e.g., [content_slideshow captions="") into a post or page. The injected script is stored in the database and executes whenever a user accesses the affected page. No additional user interaction beyond visiting the page is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. The attack is stored, so every visitor to the compromised page is affected.

Mitigation

No official patch has been released in the available references [1][2]. As a workaround, site administrators should restrict the contributor role from using shortcodes or disable the plugin entirely until a security update is available.

References
  1. https://plugins.trac.wordpress.org/browser/content-slideshow/tags/2.4.1/slideshow-widget-shortcode.php#L143
  2. https://plugins.trac.wordpress.org/browser/content-slideshow/tags/2.4.1/slideshow-widget-shortcode.php#L14

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.