CVE-2026-1885 in Slideshow Wp Plugin
Summary
by MITRE • 02/11/2026
The Slideshow Wp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sswpid' attribute of the 'sswp-slide' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/12/2026
The vulnerability identified as CVE-2026-1885 affects the Slideshow Wp plugin for WordPress, specifically targeting versions up to and including 1.1. This represents a critical security flaw that exploits a stored cross-site scripting vulnerability within the plugin's shortcode functionality. The vulnerability manifests through the 'sswpid' attribute of the 'sswp-slide' shortcode, where insufficient input sanitization and output escaping mechanisms fail to properly validate or sanitize user-supplied data before processing. The flaw is particularly concerning because it allows authenticated attackers who possess contributor-level access or higher to inject malicious scripts into the plugin's functionality. This access level is significant as it enables attackers to leverage the vulnerability without requiring administrator privileges, making the threat more accessible and potentially more damaging within compromised WordPress environments.
The technical exploitation of this vulnerability occurs through the manipulation of the 'sswpid' attribute parameter within the 'sswp-slide' shortcode implementation. When an authenticated user with contributor privileges creates or modifies content containing malicious script code within this parameter, the script becomes permanently stored within the plugin's data handling mechanisms. The insufficient input sanitization means that the plugin fails to properly validate the incoming data, while the inadequate output escaping prevents the system from properly encoding or filtering the script content before it gets rendered in web pages. This combination creates a persistent XSS vector that can affect any user who accesses pages containing the maliciously injected content, regardless of their privilege level or authentication status. The vulnerability operates under the CWE-79 category of Cross-Site Scripting, specifically classified as a stored XSS variant where the malicious payload is stored on the server and executed when other users access affected pages.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with potential access to sensitive user data, session hijacking capabilities, and the ability to perform actions on behalf of legitimate users. Attackers can leverage this vulnerability to inject malicious scripts that could redirect users to phishing sites, steal session cookies, or even execute more sophisticated attacks such as privilege escalation within the WordPress environment. The fact that this vulnerability affects users with contributor-level access is particularly troubling because it means that malicious actors can compromise WordPress sites through relatively low-privilege accounts, potentially leading to widespread security breaches. The stored nature of this XSS vulnerability means that the malicious scripts remain persistent and can affect multiple users over time, unlike reflected XSS attacks that require specific user interaction to trigger. This vulnerability directly aligns with ATT&CK technique T1566.001 for initial access through spearphishing attachments and T1059.001 for command and scripting interpreter, as it allows attackers to execute arbitrary code through web-based vectors.
Mitigation strategies for this vulnerability should focus on immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. Administrators should ensure that all users with contributor-level access or higher are properly monitored and that privilege levels are maintained according to the principle of least privilege. The implementation of proper input validation and output escaping mechanisms should be enforced throughout the plugin's codebase, with specific attention to how shortcode parameters are processed. Regular security audits of WordPress plugins should be conducted to identify similar vulnerabilities, and automated scanning tools should be employed to detect potential XSS vectors in custom code implementations. Additionally, organizations should implement web application firewalls that can detect and block malicious script injection attempts, while maintaining comprehensive logging and monitoring of user activities within WordPress environments to quickly identify potential exploitation attempts. The vulnerability highlights the importance of proper security practices in plugin development, particularly around input validation and output encoding, which are fundamental requirements for preventing XSS attacks according to industry security standards.