CVE-2026-1899 in Any Post Slider Plugin
Summary
by MITRE • 03/21/2026
The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aps_slider shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on the 'post_type' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The Any Post Slider plugin for WordPress presents a critical stored cross-site scripting vulnerability that affects all versions up to and including 1.0.4. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's aps_slider shortcode implementation, specifically concerning the 'post_type' attribute parameter. The flaw allows authenticated attackers who possess Contributor-level access or higher privileges to inject malicious web scripts into the plugin's functionality, creating a persistent security risk that can affect all users who access pages containing the injected content.
The technical nature of this vulnerability aligns with CWE-79, which describes cross-site scripting flaws where untrusted data is improperly incorporated into web pages without proper sanitization or escaping. The vulnerability exists because the plugin fails to properly validate and sanitize the 'post_type' attribute parameter before incorporating it into the shortcode output. This insufficient validation creates an opening for attackers to inject malicious JavaScript code that gets stored within the plugin's configuration or content handling mechanisms, making the attack persistent rather than transient.
From an operational perspective, this vulnerability poses significant risks to WordPress installations that utilize the Any Post Slider plugin. Attackers with Contributor-level access can leverage this flaw to execute arbitrary scripts in the context of any user who views pages containing the malicious shortcode. This means that the attack can potentially compromise user sessions, steal sensitive information, or redirect users to malicious websites. The stored nature of the vulnerability means that the injected scripts remain active until manually removed, creating an ongoing threat vector that could persist across multiple user sessions and page views.
The impact extends beyond immediate script execution as it provides attackers with potential access to user data and session information, particularly when combined with other attack vectors. The vulnerability affects any WordPress site that has the Any Post Slider plugin installed and active, making it a widespread concern for content management systems that rely on third-party plugins for enhanced functionality. Organizations using this plugin should immediately implement mitigation measures, including updating to patched versions, implementing proper input validation, and monitoring for unauthorized shortcode modifications.
Recommended mitigations include updating to the latest version of the Any Post Slider plugin where the vulnerability has been addressed through proper input sanitization and output escaping mechanisms. Additionally, administrators should implement role-based access controls to limit who can modify plugin configurations and shortcode parameters, reducing the attack surface for potential exploitation. The vulnerability demonstrates the importance of proper security practices in plugin development, particularly around input validation and output escaping, which are fundamental requirements in the OWASP Top Ten security practices and align with ATT&CK technique T1566 for credential access through web application vulnerabilities.