CVE-2026-8900
MediumCVSS 6.4Summary
The Simple SEO Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via Shortcode Attributes in all versions up to and including 1.2.8 due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Risk Assessment
Attackers can inject malicious scripts, posing a risk of user data theft and session hijacking of administrators. This can lead to serious security breaches within the organization.
Recommendation
It is recommended to update the plugin to the latest version to mitigate this vulnerability. Additionally, conducting a security audit of existing content to detect potential malicious scripts is advisable.
Original NVD description (English source)
The Simple SEO Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. WordPress KSES does not strip malicious shortcode attribute values on post save, allowing contributor-level users to persist payloads that execute for any visitor, including administrators reviewing the post.

