CVE-2026-15097 in Slider Module
Summary
by MITRE • 07/11/2026
The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'height_slider' Slider Module Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/11/2026
The Themify Builder plugin represents a widely used page building framework for wordpress environments that allows users to create complex layouts through visual drag-and-drop interfaces. This particular vulnerability affects all versions up to and including 7.7.6, making it a significant concern for wordpress installations that rely on this plugin for content creation and website building operations. The vulnerability manifests within the 'height_slider' slider module field, which serves as one of several configurable elements within the builder interface designed to control visual presentation parameters of webpage components.
The technical flaw stems from insufficient input sanitization and output escaping mechanisms within the plugin's codebase. When authenticated users with contributor-level access or higher submit data through the height_slider module field, the plugin fails to properly validate or sanitize the incoming data before storing it in the wordpress database. This lack of proper sanitization creates an environment where malicious scripts can be stored alongside legitimate content without appropriate filtering mechanisms. The vulnerability specifically targets the slider module's handling of user input, where the plugin does not adequately escape output when rendering these stored values back to users, creating a classic stored cross-site scripting condition.
The operational impact of this vulnerability extends beyond simple script injection as it provides attackers with persistent access vectors that can execute malicious code within the context of any user who views affected pages. Since contributors and above have sufficient privileges to modify content, an attacker can craft malicious scripts that will execute whenever any user accesses pages containing the injected content. This creates a persistent threat vector where even users with lower privilege levels could be compromised if they access pages created by attackers. The vulnerability affects all users who view pages containing the maliciously stored scripts, potentially leading to session hijacking, data theft, or further exploitation of the compromised wordpress environment.
This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications, and represents a direct violation of secure coding practices that require input validation and output escaping. From an attack perspective, this issue maps to ATT&CK technique T1566.001 related to spearphishing attachments and T1203 which covers exploitation for privilege escalation. The vulnerability demonstrates how seemingly innocuous configuration fields within page builders can become attack vectors when proper security controls are omitted. Organizations should implement immediate mitigations including plugin updates to versions that address this specific vulnerability, along with monitoring for unauthorized content modifications and implementing additional access controls to limit contributor-level privileges where possible.
The exploitation scenario involves attackers elevating their privileges through the contributor role to inject malicious scripts into slider module fields, which then execute whenever pages containing these elements are accessed. The stored nature of the vulnerability means that impacts persist long after initial compromise, potentially allowing for extended periods of unauthorized access or data exfiltration. This makes the vulnerability particularly dangerous as it can remain undetected for extended periods while continuing to compromise user sessions and potentially provide attackers with persistent footholds within wordpress installations.