CVE-2026-1275 in Multi Post Carousel by Category Plugin
Summary
by MITRE • 03/21/2026
The Multi Post Carousel by Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slides' shortcode attribute in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on the user-supplied 'slides' parameter in the post_slides_shortcode function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/27/2026
The Multi Post Carousel by Category plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2026-1275 affecting versions through 1.4. This vulnerability resides within the post_slides_shortcode function where the 'slides' shortcode attribute fails to properly sanitize user input or escape output before rendering. The flaw allows authenticated attackers with contributor-level privileges or higher to inject malicious scripts that persist in the plugin's data storage, making it a stored XSS vulnerability rather than a reflected one. The security implications are significant as it bypasses normal browser security measures by embedding malicious code directly into the plugin's content handling mechanism, creating a persistent threat that executes whenever affected pages are accessed.
The technical exploitation of this vulnerability follows the CWE-79 pattern of cross-site scripting, specifically manifesting as a stored variant where malicious payloads are permanently stored on the server and executed during subsequent page requests. Attackers can leverage this weakness by crafting malicious script code within the 'slides' parameter of the shortcode, which gets processed and stored in the WordPress database. When other users access pages containing the vulnerable shortcode, their browsers execute the injected scripts within their security context, potentially leading to session hijacking, credential theft, or redirection to malicious sites. The vulnerability's persistence stems from the lack of proper input validation and output escaping mechanisms that should occur during the shortcode processing phase.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with a foothold for more sophisticated attacks within the WordPress environment. Since contributors can exploit this vulnerability, it represents a significant risk to sites where user roles are not properly restricted or where contributor accounts are compromised. The attack vector is particularly concerning because it requires minimal privileges and can affect any user who accesses pages containing the vulnerable shortcode, making it difficult to contain once exploited. This vulnerability can be leveraged to establish persistent backdoors, steal administrator credentials, or manipulate content displayed to other users, potentially leading to complete site compromise.
Mitigation strategies for CVE-2026-1275 should focus on immediate remediation through plugin updates to versions that properly sanitize the 'slides' parameter and implement appropriate output escaping mechanisms. Organizations should enforce strict input validation on all user-supplied parameters within shortcodes and implement Content Security Policy headers to limit script execution capabilities. The ATT&CK framework's T1059.001 technique for command and scripting interpreter should be considered in defensive measures, as this vulnerability enables attackers to execute arbitrary scripts within the browser context. Additionally, implementing role-based access controls and monitoring for unusual shortcode usage patterns can help detect exploitation attempts, while regular security audits of WordPress plugins should be conducted to identify similar vulnerabilities in other third-party components that may present similar security risks.