CVE-2026-8900

Vulnerability

The Simple SEO Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via shortcode attributes in all versions up to and including 1.2.8. This vulnerability exists due to insufficient input sanitization and output escaping, specifically within the handling of shortcode attribute values by WordPress KSES before post save.

Exploitation

An authenticated attacker with at least contributor-level access can inject arbitrary web scripts into pages by exploiting the insufficient sanitization of shortcode attribute values. The malicious scripts are persisted when the post is saved and will execute when any user, including administrators, views the compromised page.

Impact

Successful exploitation allows an attacker to execute arbitrary web scripts in the context of a victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites, impacting any user who views the injected page, regardless of their privilege level.

Mitigation

Versions of the Simple SEO Slideshow plugin up to and including 1.2.8 are affected. A patched version has not yet been publicly disclosed in the available references. Users are advised to disable or remove the plugin until a secure version is released.